Re: Pre-approval for shadow 1:4.1.1-6
Hi,
On Sat, Nov 15, 2008 at 01:43:30AM +0100, Florian Weimer wrote:
> * Nicolas François:
>
> > Release Managers, Security Team:
> > Do you want 505071 to be fixed also for Lenny?
>
> Do you mean "etch" instead of "lenny"?
No, I really meant "Lenny" for 505071.
For 505271, I assumed it requires a fix for Lenny, and probably for
Etch.
In 505071, the problem is if I insert utmp entries for every possible PID,
with an ut_line pointing, for example, to /dev/null. Then is_my_tty will
fail, and login will be denied (until reboot).
login selects the first utmp entry (checkutmp) which matches with the PID,
but validate the ut_line much later (is_my_tty). One possible fix would be
to move is_my_tty in checkutmp to avoid being disturbed by un-closed
entries and select (or build) the right entry is the first place.
> We'd probably release a DSA once there's a patch which has some track
> record, but as far as I can tell, the issue has not been fully
> analyzed yet. You guard against a symlink attack, but you don't seem
> to ensure that the TTY name retrieved from the utmp file is correct in
> the first place.
Before the extract of the patch, is_my_tty is called.
This ensure that tty (retrieved from utmp) and STDIN_FILENO refers to the
same device.
The is_my_tty check is kept, isn't it sufficient?
What the patch fixes is, if tty is a symlink, I really change the
ownership/mode of the device, not of tty, which may have changed since the
call to is_my_tty.
I split the two bugs because the I did not consider the DOS issue serious
enough, and the fix will have a bigger impact.
But if Security Team wants the fix for Lenny, and Etch, then I can prepare
a patch.
Best Regards,
--
Nekral
Reply to: