touch-packages team mailing list archive

Thread
Date

[Bug 1444518] Re: Insecure /proc/net/unix parsing

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Wed, 15 Apr 2015 18:19:03 -0000
Reply-to: Bug 1444518 <1444518@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Stéphane - Tavis pointed out[1] two additional issues with the patch
in comment #2.

1) The owner of the /proc/PID directory is controllable by executing a
setuid binary. You'll have to check the real UID of the process. That's
doable by parsing /proc/PID/status. The real UID is the first UID in the
Uid: row.

2) There's a race between getting the ppid and changing into the
/proc/ppid/ directory and the ppid could be recycled. It is best if you
call get_ppid() again, after the chdir(), and verify that the ppid
hasn't changed (meaning that it has been recycled).

[1] http://www.openwall.com/lists/oss-security/2015/04/15/11

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1444518

Title:
  Insecure /proc/net/unix parsing

Status in apport package in Ubuntu:
  Confirmed
Status in apport source package in Trusty:
  Confirmed
Status in apport source package in Utopic:
  Confirmed
Status in apport source package in Vivid:
  Confirmed

Bug description:
  The fix in USN-2569-1 introduced a vulnerability when parsing
  /proc/net/unix.

  There is a known issue in the kernel where newlines aren't being escaped properly:
  http://www.spinics.net/lists/netdev/msg320556.html

  Resulting in Tavis Ormandy finding a new issue:

  http://www.openwall.com/lists/oss-security/2015/04/14/18

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1444518/+subscriptions

References

[Bug 1444518] [NEW] Insecure /proc/net/unix parsing
From: Marc Deslauriers, 2015-04-15