From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7418
Path: news.gmane.org!not-for-mail
From: Harald Becker <ralda@gmx.de>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: Re: Security advisory for musl libc - stack-based buffer
 overflow in ipv6 literal parsing [CVE-2015-1817]
Date: Sat, 18 Apr 2015 17:49:51 +0200
Message-ID: <55327D1F.5070807@gmx.de>
References: <20150417131008.GE17615@ucc.gu.uwa.edu.au> <20150417172327.GB6817@brightrain.aerifal.cx> <20150417180325.GC6817@brightrain.aerifal.cx> <20150417180907.GA26856@openwall.com> <20150418133202.GG17615@ucc.gu.uwa.edu.au> <20150418152542.GG6817@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1429372218 14996 80.91.229.3 (18 Apr 2015 15:50:18 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 18 Apr 2015 15:50:18 +0000 (UTC)
Cc: Matt Johnston <matt@ucc.asn.au>
To: musl@lists.openwall.com
Original-X-From: musl-return-7431-gllmg-musl=m.gmane.org@lists.openwall.com Sat Apr 18 17:50:16 2015
Return-path: <musl-return-7431-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-7431-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1YjV0a-0007iu-3L
	for gllmg-musl@m.gmane.org; Sat, 18 Apr 2015 17:50:16 +0200
Original-Received: (qmail 13820 invoked by uid 550); 18 Apr 2015 15:50:14 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 13802 invoked from network); 18 Apr 2015 15:50:14 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
In-Reply-To: <20150418152542.GG6817@brightrain.aerifal.cx>
X-Provags-ID: V03:K0:T+KA9B9YbxZK9LpCqRMGItWSHGsxBF9IdhXFhJ6mBBHnkBaJwE/
 TZR1l7Bhph8tGEyfdis+BOhDdh0WDscgKRueO9F7iH1g5pt6g9GC20fDlkeQQ+jkubNcRYU
 hkVTWQmBDse6PPt/as+MlJku+yW/nccdXP2i/Mw1tA9LBrXm1JL83FFxlIIhG9I4JMtxLWU
 dTH7caFQ3T06tkL9ZZ39w==
X-UI-Out-Filterresults: notjunk:1;
Xref: news.gmane.org gmane.linux.lib.musl.general:7418
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/7418>

On 18.04.2015 17:25, Rich Felker wrote:
>> The server hostkey will remain in process
>> memory since it's required for rekeying - not as bad as root
>> code execution though.
>
> Ugly. I don't see how this can be solved without a more advanced
> privsep model. I agree it's lower-severity though.

IMO you may put the host keys in a file readable (not writable) with a 
dropbear group, and only using that group for dropbear (no other users 
or programs using that group). So you may read the keys even if not 
root, if you add this dropbear group to setgroups (not setgid) before 
dropping root privileges.

Harald