oss-sec mailing list archives
Re: CVE Request: powerdns does not clear supplementary groups
From: Solar Designer <solar () openwall com>
Date: Fri, 25 May 2012 02:56:46 +0400
On Thu, May 24, 2012 at 06:15:53PM -0400, Steve Grubb wrote:
Here is a real life case: + if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 || + setuid(pw->pw_uid) != 0 ) This is not upstream. This is a patch to drop capabilities by changing uid/gid. The person writing the patch intended to do the right thing - but failed. See the bug? This is in a network facing daemon that parses untrusted network packets.
Wow. The NULL results in group 0 being added to the supplementary groups list (so it survives the setgid(), at least on my quick test). How did you spot this? Compiler warning? "passing arg 2 of `initgroups' makes integer from pointer without a cast" Alexander
Current thread:
- CVE Request: powerdns does not clear supplementary groups David Black (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups David Black (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Christos Zoulas (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Peter van Dijk (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)