Bug 698772 - VUL-0: opie: off by one errors in opiesu
VUL-0: opie: off by one errors in opiesu
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
E-mail List
maint:released:11.3:41885 maint:relea...
Depends on:
  Show dependency treegraph
Reported: 2011-06-08 13:30 UTC by Sebastian Krahmer
Modified: 2011-10-31 21:03 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

patch proposal for the setuid() bug (501 bytes, patch)
2011-06-22 08:37 UTC, Sebastian Krahmer
Details | Diff
patch proposal for opiesu overflow bug (886 bytes, patch)
2011-06-22 08:38 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-06-08 13:30:36 UTC
In opiesu.c we have a miscalculation for the malloced buffer
(missing the last \0 byte after the last strcat):

  int argvsize = 0;
  for (i = 0; i < argc; argvsize += strlen(argv[i++]));
  argvsize += argc;
  if (!(argvbuf = malloc(argvsize))) {
    syslog(LOG_ERR, "can't allocate memory to store command line");
  for (i = 0, *argvbuf = 0; i < argc;) {
    strcat(argvbuf, argv[i]);
    if (++i < argc)
      strcat(argvbuf, " ");

And probably this one isnt correct too:

  strcat(pathbuf, DEFAULT_PATH);

To reproduce just type "opiesu" to trigger the runtime
overflow check.
Comment 1 Sebastian Krahmer 2011-06-20 09:48:55 UTC
Also, opielogin is not checking setuid() return value, e.g. this
is a local root exploit.
Comment 2 Marcus Meissner 2011-06-20 13:11:06 UTC
Update together with permissions that removes all setuid bits from opie* as the code likely is unused
Comment 3 Sebastian Krahmer 2011-06-22 08:37:56 UTC
Created attachment 435901 [details]
patch proposal for the setuid() bug

Comment 4 Sebastian Krahmer 2011-06-22 08:38:32 UTC
Created attachment 435902 [details]
patch proposal for opiesu overflow bug

Comment 5 Sebastian Krahmer 2011-06-22 14:23:10 UTC
Just for the record, the problematic off by one is
probably the

strcat(pathbuf, DEFAULT_PATH);

(static buffer missing the space for the "=")
as the crash doesnt happen when fixing this. However I
keep the patch as is since it is fixing the problem(s).
Comment 7 Swamp Workflow Management 2011-06-22 14:31:51 UTC
The SWAMPID for this issue is 41782.
This issue was rated as moderate.
Please submit fixed packages until 2011-07-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Ludwig Nussel 2011-06-27 08:21:31 UTC
CVE-2011-2489 opiesu Off by one
CVE-2011-2490 opiesu missing setuid() check
Comment 9 Bernhard Wiedemann 2011-06-28 14:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (698772) was mentioned in
https://build.opensuse.org/request/show/74775 11.4 / permissions
https://build.opensuse.org/request/show/74776 Factory / permissions
Comment 10 Marcus Meissner 2011-07-05 16:13:06 UTC
trying to get it to build for Factory still... other updates are checked in.
Comment 11 Marcus Meissner 2011-07-13 13:30:06 UTC
factory done, reassign for tracking
Comment 13 Marcus Meissner 2011-07-20 14:40:43 UTC
the setuid bit is supposed to be gone, as we also released a "permission" update
doing just that.

for testing you can briefly readd it.

the setuid bit removal from opiesu should have also happened on sle11-sp1. Can you check that the correct permission and opie packages were installed?
Comment 14 Neven Friedrich 2011-07-21 14:55:38 UTC
On every SLE11 host I have same results:

frisch:~ # rpm -q opie permissions
frisch:~ # ls -l `which opiesu`
-rwsr-xr-x 1 root root 44752 Jun 29 23:12 /usr/bin/opiesu
Comment 15 Marcus Meissner 2011-07-21 15:10:51 UTC
Does a SuSEconfig --module permissions   remove it?

Anyway, this is a optional feature of this update, important is that
opiesu no longer crashes
Comment 16 Marcus Meissner 2011-07-21 15:36:32 UTC
ludwig just told me what the issue is,
opiesu got removed completely from permissions, so the ordner of installation
is important.

if permissions got installed first, it wont have removed the setuid bit.

Again, this is harmless, we added this as a new measure.
Comment 17 Neven Friedrich 2011-07-26 13:36:30 UTC
I will approve updates now, however on SLES10-SP4 and SLES10-SP3 ppc64 opie pam is not working as pam_opie.so module is not present under /lib64/security . This is not a regression . bnc#708353
Comment 18 Swamp Workflow Management 2011-07-27 07:58:43 UTC
Update released for: opie, opie-debuginfo, opie-debugsource, permissions, permissions-debuginfo, permissions-debugsource
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 19 Swamp Workflow Management 2011-07-27 10:58:08 UTC
Update released for: opie, opie-debuginfo, permissions
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 20 Swamp Workflow Management 2011-07-27 11:16:17 UTC
Update released for: opie, opie-32bit, opie-debuginfo, opie-debuginfo-32bit, opie-debuginfo-x86, opie-debugsource, opie-x86, permissions, permissions-debuginfo
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 21 Marcus Meissner 2011-07-27 11:28:55 UTC
Comment 22 Felix Schneider 2011-07-28 19:51:30 UTC
(In reply to comment #4)
> Created an attachment (id=435902) [details]
> patch proposal for opiesu overflow bug
> .

I don't see an issue with the Nulltermination here since
argvsize += argc;
accounts for spaces as well as the terminating 0-Byte. The only problem I see is when argc == 0 which should rather be prevented by checking argc < 1.
Comment 23 Bernhard Wiedemann 2011-10-31 21:03:31 UTC
This is an autogenerated message for OBS integration:
This bug (698772) was mentioned in
https://build.opensuse.org/request/show/89843 Tumbleweed / permissions