Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Marcus Meissner <meissner-l3A5Bk7waGM <at> public.gmane.org>
Subject: Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization
Newsgroups: gmane.comp.security.oss.general
Date: Friday 12th August 2011 21:43:03 UTC (over 5 years ago)
On Fri, Aug 12, 2011 at 09:37:19PM +0200, Tomas Hoger wrote:
> On Mon, 25 Jul 2011 08:57:10 +0200 Sebastian Krahmer wrote:
> 
> > On Fri, Jul 22, 2011 at 03:56:22PM -0400, Josh Bressers wrote:
> > > I presume this only needs one ID
> > > 
> > > Use CVE-2011-2709
> > 
> > You probably speak about:
> > 
> > http://www.suse.de/~krahmer/libs-vs-fscaps/
> 
> I believe Josh was referring to libgssapi and libgssglue mentioned in
> the subject.  It's the same code in both, libgssglue is libgssapi
> renamed.
> 
> Would you mind sharing the patch you used in SLE packages?  It does not
> seem to have been fixed in OpenSUSE yet.  Thanks!

I just did a basic uid check.

Index: libgssglue-0.1/src/g_initialize.c
===================================================================
--- libgssglue-0.1.orig/src/g_initialize.c
+++ libgssglue-0.1/src/g_initialize.c
@@ -34,6 +34,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 #ifdef USE_SOLARIS_SHARED_LIBRARIES
 #include 
@@ -195,7 +197,8 @@ static void solaris_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {
@@ -270,7 +273,8 @@ static void linux_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {
 
CD: 6ms