Bug 979282 (CVE-2016-6251) - AUDIT-0: shadow subuids/subgids
Summary: AUDIT-0: shadow subuids/subgids
Status: RESOLVED FIXED
Alias: CVE-2016-6251
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2016-6252:4.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-10 13:46 UTC by Michael Vetter
Modified: 2018-07-30 22:38 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
subuid patch proposal (2.33 KB, patch)
2016-07-19 09:19 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2016-05-10 13:46:05 UTC
For an update of the shadow package we would need to have some changes to the permissions package https://github.com/openSUSE/permissions

https://build.opensuse.org/request/show/393769
After that I can remove the workaround in that request and submit to Base:System.
Comment 1 Marcus Meissner 2016-05-12 15:36:57 UTC
+/usr/bin/newgidmap                                      root:shadow       4755
+/usr/bin/newuidmap                                      root:shadow       4755
Comment 12 Sebastian Krahmer 2016-07-19 09:19:34 UTC
Created attachment 684679 [details]
subuid patch proposal

fixing potential security issues
Comment 13 Johannes Segitz 2016-07-21 08:31:56 UTC
CVEs got assigned:

> 1) Removing getlogin() to find out about users.
>    It relies on utmp, which is not a trusted base of info (group writable).

Possibly the concern is that the utmp entry might have a spoofed
username associated with the correct uid, and the attacker's goal is
to obtain unauthorized group privileges. We have not studied the code
in detail, but shadow-4.2.1/src/newgrp.c seems to have this sequence
of calls:

  pwd = get_my_pwent ();
     [ note that this calls getlogin ]
  grp = xgetgrgid (pwd->pw_gid);
  gid = grp->gr_gid;
  setgid (gid)

Use CVE-2016-6251 for the potentially unsafe use of getlogin.

>    there was a *int overflow*, which can be
>    tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed)
>    which produces no error but tries to write large "count" values to the uid_map
>    file

>> After checking some kernels, it looks like this int wrap is exploitable as a LPE,
>> as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64)
>> as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire
>> different view on the upper and lower bounds, making newuidmap overflow (and pass)
>> and still being in bounds inside the kernel.
>>
>> So everyone shipping newuidmap as mode 04755 should fix it. :)

shadow-4.2.1/src/Makefile.in has:

  suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap

Use CVE-2016-6252 for the incorrect integer handling.
Comment 19 Bernhard Wiedemann 2016-08-02 10:00:36 UTC
This is an autogenerated message for OBS integration:
This bug (979282) was mentioned in
https://build.opensuse.org/request/show/416539 Factory / permissions
Comment 23 Sebastian Krahmer 2016-12-07 15:20:09 UTC
resolved fixed
Comment 24 Bernhard Wiedemann 2017-09-14 12:02:22 UTC
This is an autogenerated message for OBS integration:
This bug (979282) was mentioned in
https://build.opensuse.org/request/show/526050 Factory / permissions
Comment 25 Bernhard Wiedemann 2017-10-24 14:05:32 UTC
This is an autogenerated message for OBS integration:
This bug (979282) was mentioned in
https://build.opensuse.org/request/show/536398 Factory / shadow