From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7402 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] Date: Fri, 17 Apr 2015 13:23:27 -0400 Message-ID: <20150417172327.GB6817@brightrain.aerifal.cx> References: <20150417131008.GE17615@ucc.gu.uwa.edu.au> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1429291434 30555 80.91.229.3 (17 Apr 2015 17:23:54 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 17 Apr 2015 17:23:54 +0000 (UTC) Cc: musl@lists.openwall.com To: Matt Johnston Original-X-From: musl-return-7415-gllmg-musl=m.gmane.org@lists.openwall.com Fri Apr 17 19:23:52 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1Yj9zX-0001OD-JP for gllmg-musl@m.gmane.org; Fri, 17 Apr 2015 19:23:47 +0200 Original-Received: (qmail 21817 invoked by uid 550); 17 Apr 2015 17:23:46 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 21799 invoked from network); 17 Apr 2015 17:23:45 -0000 Content-Disposition: inline In-Reply-To: <20150417131008.GE17615@ucc.gu.uwa.edu.au> User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:7402 Archived-At: On Fri, Apr 17, 2015 at 09:10:08PM +0800, Matt Johnston wrote: > Hi, > > I think Dropbear probably is vulnerable to CVE-2015-1817 > post-authentication. TCP forwarding requests will call > getaddrinfo() > https://secure.ucc.asn.au/hg/dropbear/file/cbd674d63cd4/dbutil.c#l415 > (moved to netio.c in head, and PF_UNSPEC has been fixed to > AF_UNSPEC). Pre-authentication should be OK, only > getnameinfo() is called (if that's enabled). Yes, I agree dropbear is affected. And wow, this is an utter mess. Not only does dropbear fail to drop root before processing forwards; it NEVER drops root at all. The user's session remains running as root for its full lifetime. Aside from being a huge risk, it also allows users to bypass uid-based firewall rules via port forwarding; for example, a rule that forbids normal users from making outgoing connections on port 25 would not be honored. Is there any reason for not performing the setgroups/setgid/setuid immediately after authentication succeeds? Have you looked at whether it would be easy to patch that in? None of this excuses CVE-2015-1817 which was a huge failure on our part, but it seems pretty crazy that dropbear is doing EVERYTHING as root. > musl's network-facing DNS code seems a bit precarious with > pointer arithmetic? Which code are you talking about? There was a previous problem with dn_expand, which is the main function that comes to mind for me, and the code was fixed and heavily reviewed at the time. Are there other areas you're concerned about? Rich