[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalati
From: Solar Designer <solar () openwall ! com>
Date: 2023-12-30 21:15:49
Message-ID: 20231230211549.GA18597 () openwall ! com
[Download RAW message or body]
On Sat, Dec 30, 2023 at 05:26:00PM +0100, Solar Designer wrote:
> > * Noteworthy changes in release 2.5 (2023-12-29) [stable]
> >
> > ** ftpd, rcp, rlogin, rsh, rshd, uucpd
> >
> > *** Avoid potential privilege escalations by checking set*id() return values.
> > Reported by Jeffrey Bencteux in
> > <https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html>.
This is CVE-2023-40303.
> notably Debian (and Ubuntu) does
> package inetutils (and has already updated to 2.5 in unstable)
Debian also patched the issues in LTS:
https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html
> Jeffrey's initial message also says:
>
> > There are cases where set*id() functions can fail, for example multiple
> > calls to the clone() function can cause setuid() to fail when the user
> > process limit is reached.
>
> Linux kernel hardening patches have been mitigating this for some years,
> and a mitigation (postponing RLIMIT_NPROC enforcement to execve(2) time,
> if ever) got into upstream Linux, as I recall after this thread in 2011:
>
> https://www.openwall.com/lists/kernel-hardening/2011/06/12/9
>
> I hope on current Linux this dangerous failure mode is not triggerable,
> but indeed programs must not rely on that, and I think inetutils isn't
> Linux-only.
There's still the supposedly-cannot-fail memory allocation on setuid(),
where it contains a supposedly-unreachable error return code. Back
then, I failed to convince the maintainers to replace that code with
crashing the process, which would be a safer action to take on such
supposedly-impossible conditions if they ever do become possible.
Also, LSMs can alter the behavior of setuid(), including adding new
reasons why it can fail.
> Also, initgroups() may still fail, and omitting it or setgroups() will
> leave supplementary groups potentially inherited by a service intact.
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic