Closed
Bug 365703
Opened 18 years ago
Closed 18 years ago
setgid programs linked with NSPR allow elevation of privileges
Categories
(NSPR :: NSPR, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
4.6.5
People
(Reporter: glandium, Assigned: wtc)
Details
(Keywords: fixed1.8.0.10, fixed1.8.1.2)
Attachments
(1 file, 1 obsolete file)
1.19 KB,
patch
|
alvolkov.bgs
:
review+
|
Details | Diff | Splinter Review |
This affects all unices systems. (ashamedly copy/paste from bug #351470) NSPR logging is controlled with a couple of environment variables, one to enable it, and a second to control the name of the log file. This appears to all work in "optimized" (non-debug) builds. So, if any setgid $group program is linked with NSPR, any user can clobber any file on the system (any $group writable file) by setting NSPR's environment variables to log to that file, and then running a setgid $group program linked with NSPR. For example, on Debian, there is a program called camel-lock-helper-1.2 that comes with evolution-data-server, that is setgid mail. Typically, that means files in /var/mail can be clobbered by anyone can run camel-lock-helper-1.2... Testing for getgid() == getegid() wherever getuid() == geteuid() is tested in the fix for bug #351470 should be enough to fix this.
Assignee | ||
Updated•18 years ago
|
Group: security
Assignee | ||
Comment 1•18 years ago
|
||
Attachment #250501 -
Flags: superreview?(alexei.volkov.bugs)
Attachment #250501 -
Flags: review?(mh+mozilla)
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → 4.6.5
Comment 2•18 years ago
|
||
Comment on attachment 250501 [details] [diff] [review] Proposed patch additional review, r=nelson
Attachment #250501 -
Flags: review+
Reporter | ||
Comment 3•18 years ago
|
||
Comment on attachment 250501 [details] [diff] [review] Proposed patch >- if (getuid() != geteuid()) { >+ if (getuid() != geteuid() || getgid() != getegid()) { Wouldn't it be better to add a level of parenthesis ?
Assignee | ||
Comment 4•18 years ago
|
||
Comment on attachment 250501 [details] [diff] [review] Proposed patch Mike, I'll be happy to add a level of parenthesis when I check in the patch. Do you have the setup to trigger this bug and test this patch?
Reporter | ||
Comment 5•18 years ago
|
||
I'll give it a try this week-end. I have to fix this in libnspr for Debian(we build it out of xulrunner, for the moment)
Assignee | ||
Comment 6•18 years ago
|
||
I added a level of parenthesis as Mike suggested. I checked in the patch on the NSPR trunk (NSPR 4.7) Checking in io/prlog.c; /cvsroot/mozilla/nsprpub/pr/src/io/prlog.c,v <-- prlog.c new revision: 3.37; previous revision: 3.36 done Checking in misc/prtrace.c; /cvsroot/mozilla/nsprpub/pr/src/misc/prtrace.c,v <-- prtrace.c new revision: 3.11; previous revision: 3.10 done Checking in io/prlog.c; /cvsroot/mozilla/nsprpub/pr/src/io/prlog.c,v <-- prlog.c new revision: 3.24.2.10; previous revision: 3.24.2.9 done Checking in misc/prtrace.c; /cvsroot/mozilla/nsprpub/pr/src/misc/prtrace.c,v <-- prtrace.c new revision: 3.5.4.5; previous revision: 3.5.4.4 done Checking in io/prlog.c; /cvsroot/mozilla/nsprpub/pr/src/io/prlog.c,v <-- prlog.c new revision: 3.34.2.2; previous revision: 3.34.2.1 done Checking in misc/prtrace.c; /cvsroot/mozilla/nsprpub/pr/src/misc/prtrace.c,v <-- prtrace.c new revision: 3.8.2.2; previous revision: 3.8.2.1 done
Attachment #250501 -
Attachment is obsolete: true
Attachment #250638 -
Flags: review?(alexei.volkov.bugs)
Attachment #250501 -
Flags: superreview?(alexei.volkov.bugs)
Attachment #250501 -
Flags: review?(mh+mozilla)
Assignee | ||
Comment 7•18 years ago
|
||
Comment on attachment 250638 [details] [diff] [review] Proposed patch (as checked in) I forgot to say: the patch was also checked in on the NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.9 Alpha 2) and NSPR_4_6_BRANCH (NSPR 4.6.5).
Assignee | ||
Updated•18 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•18 years ago
|
||
Unfortunately, the incriminated setgid program is actually linked against libnspr for no reason: it doesn't use it. I tried some other programs but can't manage to make them generate a log file... :-/
Comment 9•18 years ago
|
||
Comment on attachment 250638 [details] [diff] [review] Proposed patch (as checked in) r=alexei.volkov.bugs
Attachment #250638 -
Flags: review?(alexei.volkov.bugs) → review+
Comment 10•17 years ago
|
||
Does this also affect the 1.8 branch?
Assignee | ||
Comment 11•17 years ago
|
||
Myk: the Mozilla 1.8 branch already has the fix. You can verify that by checking the value of NSPR_CO_TAG in mozilla/client.mk. It is NSPR_4_6_5_RTM, which is the NSPR release the fix first appeared in (the target milestone of this bug is "4.6.5"). The Mozilla 1.8.0 branchy also has the fix.
Comment 12•17 years ago
|
||
Wan-Teh: great, thanks for the info! Marking fixed1.8 so this no longer shows up on triage queries for bugs that might need to be checked into the branch.
Keywords: fixed1.8
Updated•17 years ago
|
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•