From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7293 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.busybox,gmane.linux.lib.musl.general Subject: Busybox on musl is affected by CVE-2015-1817 Date: Mon, 30 Mar 2015 01:31:50 -0400 Message-ID: <20150330053150.GA484@brightrain.aerifal.cx> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1427693533 30668 80.91.229.3 (30 Mar 2015 05:32:13 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 30 Mar 2015 05:32:13 +0000 (UTC) Cc: musl@lists.openwall.com To: busybox@busybox.net Original-X-From: busybox-bounces@busybox.net Mon Mar 30 07:32:02 2015 Return-path: Envelope-to: glb-busybox-78@gmane.org Original-Received: from hemlock.osuosl.org ([140.211.166.133]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1YcSIq-0007iK-Ir for glb-busybox-78@gmane.org; Mon, 30 Mar 2015 07:32:00 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id AF5E194C5B; Mon, 30 Mar 2015 05:31:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Original-Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VN8XUUa8KkuC; Mon, 30 Mar 2015 05:31:55 +0000 (UTC) Original-Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 0525594C3B; Mon, 30 Mar 2015 05:31:55 +0000 (UTC) Original-Received: from whitealder.osuosl.org (whitealder.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 069A81C1F31 for ; Mon, 30 Mar 2015 05:31:54 +0000 (UTC) Original-Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 01E2D913FB for ; Mon, 30 Mar 2015 05:31:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Original-Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPi3SCt5JO-W for ; Mon, 30 Mar 2015 05:31:51 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Original-Received: from brightrain.aerifal.cx (216-12-86-13.cv.mvl.ntelos.net [216.12.86.13]) by whitealder.osuosl.org (Postfix) with ESMTP id A607B8B3C1 for ; Mon, 30 Mar 2015 05:31:51 +0000 (UTC) Original-Received: from dalias by brightrain.aerifal.cx with local (Exim 3.15 #2) id 1YcSIg-0000NT-00; Mon, 30 Mar 2015 05:31:50 +0000 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: busybox@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of BusyBox List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: busybox-bounces@busybox.net Original-Sender: "busybox" Xref: news.gmane.org gmane.linux.busybox:41096 gmane.linux.lib.musl.general:7293 Archived-At: For details on CVE-2015-1817, see: http://www.openwall.com/lists/musl/2015/03/30/1 With musl-linked Busybox installed setuid and ping enabled, exploiting this issue is trivial. While CVE-2015-1817 is certainly musl's fault, there are two changes to Busybox I'd like to propose that would have prevented it from being exploitable: 1. Having setuid utilities like ping obtain the resource they need (in the case of ping, SOCK_RAW) without processing user input at all, then fully dropping root (setuid(getuid())) before doing anything. This has been standard practice for setuid programs since the 90s and it feels bad that busybox is not doing it. 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for ping, which allows it to run without root. Do either or both of these sound acceptable? Rich