registry team mailing list archive

Thread
Date

[Bug 677226] Re: CVE-2010-4170 and CVE-2010-4171: staprun module loading/unloading security fixes

To: registry@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Sat, 20 Nov 2010 07:43:02 -0000
Reply-to: Bug 677226 <677226@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Unfortunately, relying on build time permission setting is insufficient;
dh_fixperms removes the setuid bit and converts everything to root
ownership. In order to fix it to be owned, we need to do dpkg-
statoverride in the postinst (as well as tweak the dh_fixperms_override
step in the debian rules file), like so:

diff -Nru systemtap-1.3/debian/rules systemtap-1.3/debian/rules
--- systemtap-1.3/debian/rules	2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/rules	2010-11-19 15:26:42.000000000 -0800
@@ -87,7 +87,7 @@
 
 override_dh_fixperms:
 	dh_fixperms
-	chmod 4755 debian/systemtap-runtime/usr/bin/staprun
+	chmod 4750 debian/systemtap-runtime/usr/bin/staprun
 
 override_dh_installchangelogs:
 	        dh_installchangelogs debian/changelog
diff -Nru systemtap-1.3/debian/systemtap-runtime.postinst systemtap-1.3/debian/systemtap-runtime.postinst
--- systemtap-1.3/debian/systemtap-runtime.postinst	2010-08-06 11:34:25.000000000 -0700
+++ systemtap-1.3/debian/systemtap-runtime.postinst	2010-11-19 15:30:31.000000000 -0800
@@ -12,6 +12,11 @@
 		echo "Adding stapusr group..."
 		addgroup --quiet --system stapusr || true
 	fi
+	# Fixup staprun binary for new group 'stapusr'.
+	if [ -x /usr/sbin/dpkg-statoverride ] &&
+	   ! dpkg-statoverride --list /usr/bin/staprun > /dev/null ; then
+		dpkg-statoverride --update --add root stapusr 4750 /usr/bin/staprun
+	fi
 	;;
 abort-upgrade|abort-remove|abort-deconfigure)
 	;;

I've incorporate this into packages that I've uploaded to the ubuntu-
security-proposed ppa at https://launchpad.net/~ubuntu-security-
proposed/+archive/ppa/+packages and verified that the permissions and
ownership are such that only users in the stapusr group (as well as
root) can run staprun, and that the upstream patch addresses Tavis'
example cases:

   $ staprun [module_to_remove]

and

  $ MODPROBE_OPTIONS="--dirname /tmp" staprun -u whatever

Thanks.

-- 
CVE-2010-4170 and CVE-2010-4171: staprun module loading/unloading security fixes
https://bugs.launchpad.net/bugs/677226
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.

References

[Bug 677226] [NEW] CVE-2010-4170 and CVE-2010-4171: staprun module loading/unloading security fixes
From: Lorenzo De Liso, 2010-11-18