Bug#689562: utempter: Allows fake host setting

To: 689562@bugs.debian.org
Subject: Bug#689562: utempter: Allows fake host setting
From: paul.szabo@sydney.edu.au
Date: Sat, 6 Oct 2012 20:42:50 +1000
Message-id: <201210061042.q96AgoIJ019571@bari.maths.usyd.edu.au>
Reply-to: paul.szabo@sydney.edu.au, 689562@bugs.debian.org

Some relevant discussion:

http://archives.neohapsis.com/archives/linux/lsap/2001-q1/0067.html
  >> After reading the code, ... utempter
  >> allow for setting arbitrary ut_host's.
  >
  > Hm, version 0.5 which is what we're using has this:
  >
  > if (!getuid()) {
  > host = argv[3]; /* either NULL or something real */
  > } else {
  > host = NULL;
  > }
  >
  > which seems perfectly safe to me.
  
  I didn't notice the UID check. Why would utempter be run
  as root, though? ...
  
  ...
  
  > ... Or take ut_host; connecting to your sshd and making the
  > reverse lookup return funky stuff definitely has potential as well.
  
  Yes, and I am not sure of where this should be fixed. Maybe the libc
  interface should sanitize the structure contents before writing? But
  then there's not even a return value to indicate the error. Perhaps,
  just log the IP address when the hostname looks bad? (The IP address
  is (should be) also logged separately either way.)

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Prev by Date: Bug#689339: marked as done (kwalletmanager: the kwalletmanager GUI does not appear)
Next by Date: Bug#689805: Should recommend package vlc-plugin-pulse
Previous by thread: Bug#689562: utempter: Allows fake host setting
Next by thread: [bts-link] source package kdemultimedia
Index(es):
- Date
- Thread