Your message dated Wed, 3 Mar 2010 21:47:33 +0100
with message-id <20100303204733.ga2...@galadriel.inutil.org>
and subject line Re: possible vulnerability in sudo glob processing
has caused the Debian Bug report #565223,
regarding possible vulnerability in sudo glob processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
565223: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565223
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security patch
Justification: user security hole
I'm investigating #556562 (wildcard "*" sudoers rules are broken),
filed by a co-worker. I discovered it's your basic use-after free
problem, fixed by the following patch:
--- parse.c 2010/01/13 21:59:04 1.1
+++ parse.c 2010/01/13 21:59:12
@@ -316,9 +316,11 @@
break;
}
}
- globfree(&gl);
- if (*ap == NULL)
+ if (*ap == NULL) {
+ globfree(&gl);
return(FALSE);
+ }
+ globfree(&gl);
if (!sudoers_args ||
(!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) ||
However, in tracking down just why globfree causes *ap to be NULL in
our case, and digging into the malloc/free implementation details, it
appears that the first word stored in the freed object (in this case
the gl.gl_pathv array) can be overwritten with a linked-list pointer.
Depending on the block size, other fields can be overwritten too.
This means it may be influenced by other malloc/free activity in the
process, and the number of entries in the directory matching the glob
pattern, and the lengths of the filenames freed up before the
gl.gl_pathv array itself is freed up, and I have not yet convinced
myself that the first isn't subject to some amount of control by an
attacker logged in to the system. If the attacker can cause *ap to be
non-null when it shouldn't be, he may be able to execute commands he
shouldn't be able to.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (1001, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-permabit1-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
sudo recommends no packages.
sudo suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1.7.0-1
On Wed, Jan 13, 2010 at 06:17:36PM -0500, Ken Raeburn wrote:
> Package: sudo
> Version: 1.6.9p17-2
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
>
> I'm investigating #556562 (wildcard "*" sudoers rules are broken),
> filed by a co-worker. I discovered it's your basic use-after free
> problem, fixed by the following patch:
I've contacted Todd Miller and he pointed me to
http://sudo.ws/bugs/show_bug.cgi?id=300.
1.6.9p18 was never uploaded to the archive, as such I'm marking
1.7.0-1 as fixed.
Cheers,
Moritz
--- End Message ---
