[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] please unblock beast 0.6.6-8

Hi Sam,

On Tue, Mar 20, 2007 at 11:40:17AM +0100, Sam Hocevar wrote:
>    This version of beast fixes a memory corruption issue and a bug in
> the suid wrapper that may give root control to an attacker. No advisory
> has been released AFAIK but it is similar to CVE-2006-2916.

+@@ -77,6 +76,12 @@
+ #else
+ #error platform misses facility to drop privileges
+ #endif
++      /* verify priviledge drop */
++      if (geteuid() != uid)
++        {
++          fprintf (stderr, "%s: failed to drop priviledges: %s\n", argv[0], errno ? strerror (errno) : "Unknown error");          _exit (255);
++        }
+     }
+
+   /* non-priviledged code */

uhm... that's spelled 'privileges', could you please fix this? :)

Can you explain how this is exploitable?  In CVE-2006-2916, the description
is "allows local users to gain root privileges by causing setuid to fail".
um... how is an unprivileged local user going to cause setuid() to fail?

Patch 012 is clear enough, but patch 011 seems to be a no-op on Linux, and
if it's not a no-op it has a spelling mistake.  (Well, it's possible that
setuid() will fail on an SELinux system, but then root privilege doesn't get
you much on an SELinux system...)

Anyway, if you fix the above bug I'll hint it in.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
Reply to: