Bugzilla – Bug 698772
VUL-0: opie: off by one errors in opiesu
Last modified: 2011-10-31 21:03:31 UTC
In opiesu.c we have a miscalculation for the malloced buffer (missing the last \0 byte after the last strcat): { int argvsize = 0; for (i = 0; i < argc; argvsize += strlen(argv[i++])); argvsize += argc; if (!(argvbuf = malloc(argvsize))) { syslog(LOG_ERR, "can't allocate memory to store command line"); exit(1); }; for (i = 0, *argvbuf = 0; i < argc;) { strcat(argvbuf, argv[i]); if (++i < argc) strcat(argvbuf, " "); }; }; And probably this one isnt correct too: strcat(pathbuf, DEFAULT_PATH); To reproduce just type "opiesu" to trigger the runtime overflow check.
Also, opielogin is not checking setuid() return value, e.g. this is a local root exploit.
Update together with permissions that removes all setuid bits from opie* as the code likely is unused
Created attachment 435901 [details] patch proposal for the setuid() bug .
Created attachment 435902 [details] patch proposal for opiesu overflow bug .
Just for the record, the problematic off by one is probably the strcat(pathbuf, DEFAULT_PATH); (static buffer missing the space for the "=") as the crash doesnt happen when fixing this. However I keep the patch as is since it is fixing the problem(s).
The SWAMPID for this issue is 41782. This issue was rated as moderate. Please submit fixed packages until 2011-07-06. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
CVE-2011-2489 opiesu Off by one CVE-2011-2490 opiesu missing setuid() check
This is an autogenerated message for OBS integration: This bug (698772) was mentioned in https://build.opensuse.org/request/show/74775 11.4 / permissions https://build.opensuse.org/request/show/74776 Factory / permissions
trying to get it to build for Factory still... other updates are checked in.
factory done, reassign for tracking
the setuid bit is supposed to be gone, as we also released a "permission" update doing just that. for testing you can briefly readd it. the setuid bit removal from opiesu should have also happened on sle11-sp1. Can you check that the correct permission and opie packages were installed?
On every SLE11 host I have same results: frisch:~ # rpm -q opie permissions opie-2.4-662.18.1 permissions-2011.6.28-0.3.1 frisch:~ # ls -l `which opiesu` -rwsr-xr-x 1 root root 44752 Jun 29 23:12 /usr/bin/opiesu
Does a SuSEconfig --module permissions remove it? Anyway, this is a optional feature of this update, important is that opiesu no longer crashes
ludwig just told me what the issue is, opiesu got removed completely from permissions, so the ordner of installation is important. if permissions got installed first, it wont have removed the setuid bit. Again, this is harmless, we added this as a new measure.
I will approve updates now, however on SLES10-SP4 and SLES10-SP3 ppc64 opie pam is not working as pam_opie.so module is not present under /lib64/security . This is not a regression . bnc#708353
Update released for: opie, opie-debuginfo, opie-debugsource, permissions, permissions-debuginfo, permissions-debugsource Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
Update released for: opie, opie-debuginfo, permissions Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: opie, opie-32bit, opie-debuginfo, opie-debuginfo-32bit, opie-debuginfo-x86, opie-debugsource, opie-x86, permissions, permissions-debuginfo Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
released
(In reply to comment #4) > Created an attachment (id=435902) [details] > patch proposal for opiesu overflow bug > > . I don't see an issue with the Nulltermination here since argvsize += argc; accounts for spaces as well as the terminating 0-Byte. The only problem I see is when argc == 0 which should rather be prevented by checking argc < 1.
This is an autogenerated message for OBS integration: This bug (698772) was mentioned in https://build.opensuse.org/request/show/89843 Tumbleweed / permissions