Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]

[Harald Becker <ralda@gmx.de>]

On 18.04.2015 18:37, Rich Felker wrote:
>> @Rich: I still get DNS error (Mozilla Thunderbird) for
>> dalias@libc.org, when tying to send mail :(
>
> Odd. I just verified that Google's 8.8.8.8 resolves it right, so I
> don't know what's wrong, but it seems to be on your end. Let me know
> if you find anything that looks like a problem on my side.

AFAIK, you use a CNAME as MX, which is resolved on some, but not all 
systems / programs. You need to add an absolute IP address for your MX, 
not a CNAME, to be accessible for all.

A-record lookup is ok (resolved recursive), but MX lookup fails (doesn't 
do recursive lookup everywhere).


>> On 18.04.2015 17:58, Rich Felker wrote:
> Well anything that gets code execution in the dropbear session process
> would be able to steal the key still. The only added protection you'd
> get is is against heartbleed-type attacks (arbitrary memory read but
> no code exeution).

ACK, ... isn't that bad, to protect against that kind of key steeling, 
with a very simple solution, and no need to further code restructuring?

IMO it is a quick intermediate solution, until someone may be able to 
restructure key creation code, still giving the possibility to let 
dropbear drop root privileges completely (except pty/utmp question).


>> So consider my suggestion a simpler to implement solution, in
>> between having full root privileges or hanging keys in memory, and
>> an external process to do the rekey steps (in addition: with the
>> possibility to let that process use the dropbear group and not root
>> to access keys - even better than let that process hang around as
>> root)
>
> If this external process is setuid/setgid, I consider that a much
> bigger vuln.

Just to mention: My statement 'separate process' doesn't included or 
intended a separate suid/sgid program.


> It would have to somehow verify that it's being invoked
> by a valid dropbear session process and not some other caller that
> just wants to use it to steal keys/forge key negotiations, and you
> have all the usual issues with setuid programs having to be defensive
> about the state they inherit when invoked.

I didn't think of an exec to a separate program, but just fork and let a 
process for key management run in the back. So a bit simpler to verify 
authentication of caller, but still somehow required ... or what else 
did you suggest?


> If on the other hand the session process just kept gid=dropbear to
> open and reload the key, it wouldn't be so bad.

That's it, the key creator part doesn't need root privileges for it's 
operation either. That is just a combination of the two approaches.

Harald