Bugzilla – Bug 979282
AUDIT-0: shadow subuids/subgids
Last modified: 2018-07-30 22:38:18 UTC
For an update of the shadow package we would need to have some changes to the permissions package https://github.com/openSUSE/permissions https://build.opensuse.org/request/show/393769 After that I can remove the workaround in that request and submit to Base:System.
+/usr/bin/newgidmap root:shadow 4755 +/usr/bin/newuidmap root:shadow 4755
Created attachment 684679 [details] subuid patch proposal fixing potential security issues
CVEs got assigned: > 1) Removing getlogin() to find out about users. > It relies on utmp, which is not a trusted base of info (group writable). Possibly the concern is that the utmp entry might have a spoofed username associated with the correct uid, and the attacker's goal is to obtain unauthorized group privileges. We have not studied the code in detail, but shadow-4.2.1/src/newgrp.c seems to have this sequence of calls: pwd = get_my_pwent (); [ note that this calls getlogin ] grp = xgetgrgid (pwd->pw_gid); gid = grp->gr_gid; setgid (gid) Use CVE-2016-6251 for the potentially unsafe use of getlogin. > there was a *int overflow*, which can be > tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) > which produces no error but tries to write large "count" values to the uid_map > file >> After checking some kernels, it looks like this int wrap is exploitable as a LPE, >> as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) >> as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire >> different view on the upper and lower bounds, making newuidmap overflow (and pass) >> and still being in bounds inside the kernel. >> >> So everyone shipping newuidmap as mode 04755 should fix it. :) shadow-4.2.1/src/Makefile.in has: suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap Use CVE-2016-6252 for the incorrect integer handling.
Upstream bugs: https://github.com/shadow-maint/shadow/issues/28 https://github.com/shadow-maint/shadow/issues/27
This is an autogenerated message for OBS integration: This bug (979282) was mentioned in https://build.opensuse.org/request/show/416539 Factory / permissions
resolved fixed
This is an autogenerated message for OBS integration: This bug (979282) was mentioned in https://build.opensuse.org/request/show/526050 Factory / permissions
This is an autogenerated message for OBS integration: This bug (979282) was mentioned in https://build.opensuse.org/request/show/536398 Factory / shadow