Bug#329156: gnome-pty-helper foo
I have not yet found any uses for utmp/wtmp: maybe Joey is right and there is no security issue. I would then suggest that to increase security, setuid/setgid bits be removed from all utmp/wmtp maintainers. In the meantime, I hope that conscientious sysadmins do look at who and last output occasionally; an expect that [EMAIL PROTECTED]:~$ exploit "$(perl -e 'print "XX)\nroot tty01Jan 01 02:03 (insecure.com"')" & sleep 1; who; sleep 6 [1] 22149 Writing utmp (who) record ... utmp record will be cleaned up when we exit. To leave it behind, kill gnome-pty-helper: kill 22152 Sleeping for 5 secs... psz pts/2Oct 12 12:16 (XX) root tty01Jan 01 02:03 (insecure.com) psz pts/1Oct 12 11:37 (y622.yt.maths.usyd.edu.au:0.0) [1]+ Doneexploit "$(perl -e 'print "XX)\nroot tty01 Jan 01 02:03 (insecure.com"')" [EMAIL PROTECTED]:~$ should suitably freak them out. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: gnome-pty-helper foo
Loïc Minier wrote: > Hi, > > On Fri, Oct 07, 2005, Martin Schulze wrote: > > severity 329156 normal > > thanks dude > > You didn't Cc: control, I've bounced it to control. I usually use Bcc for that, so that group replies don't annoy our control dude. :) > > Ok, so unless somebody proves us wrong we don't consider this a > > security problem. > > Is something to be done for the allocated CVE id? MITRE needs to decide on that. I'll probably drop Steven a note. Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists.
Bug#329156: gnome-pty-helper foo
Hi, On Fri, Oct 07, 2005, Martin Schulze wrote: > severity 329156 normal > thanks dude You didn't Cc: control, I've bounced it to control. > Ok, so unless somebody proves us wrong we don't consider this a > security problem. Is something to be done for the allocated CVE id? Cheers, -- Loïc Minier <[EMAIL PROTECTED]>
Bug#329156: gnome-pty-helper foo
severity 329156 normal thanks dude Loïc Minier wrote: > Hi, > > On Fri, Oct 07, 2005, Martin Schulze wrote: > > Could somebody explain the security implication for me? > > You can record in the utmp/wtmp logs something which is wrong, for > example that an user is currently connected to a display while he > isn't. I'm not the one to argue with though. Ok, so unless somebody proves us wrong we don't consider this a security problem. Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists.
Bug#329156: gnome-pty-helper foo
Joey, > Could somebody explain the security implication for me? > > being able to write arbitrary strings into valid records without > overwriting any other data in utmp/wtmp can hardly be classified > as a security vulnerability. It depends on what trust you place in the correctness of utmp/wtmp. Knowing that records are often left behind (not cleaned up or closed), you may have grown to regard them as useless data. However in that case they should be abandoned: getting rid of many setuid/setgid objects, improving security. (Records left behind may be regarded as a security issue: how do you know when all users are off and it is "safe" to reboot?) Some people would like to rely on utmp/wtmp correctness. If I see user X doing something funny: do I run to office A or office B? Some academics (foolishly?) like to allocate "participation marks" (attendance records) to students in their tutorial: based on utmp/wtmp, that is surely useless. When allowing users access to USB sticks on their "thin client" terminals, how do I know if they "own" (are logged in to) that particular terminal: run xhost and check return status, wasting resources... As I commented elsewhere, I do not think any Debian utilities ever use utmp/wtmp. Are you then at freedom to abandon them? Viewed another way: users are not meant to be able to write fake utmp/wtmp records. But they can. Anything that users can do, without authority, is a security issue. Any unexpected behaviour is a potential security issue. > (Apart from that, I'm only slightly annoyed as I had to learn about > this via MITRE / GNOME Bugzilla instead of a mail from the maintainer > to the security team?) Would I have been allowed to contact the security team directly? Are not all security-tagged bug reports monitored, as a matter of course? (Are they knowledgeable to advise on your questions above?) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: gnome-pty-helper foo
Hi, On Fri, Oct 07, 2005, Martin Schulze wrote: > Could somebody explain the security implication for me? You can record in the utmp/wtmp logs something which is wrong, for example that an user is currently connected to a display while he isn't. I'm not the one to argue with though. > being able to write arbitrary strings into valid records without > overwriting any other data in utmp/wtmp can hardly be classified > as a security vulnerability. I have no idea, I'll let you judge of such things. Since gnome-pty-helper seemed to have some special permission to write to utmp (because it is sgid), I took the problem seriously. Whether this issue is to be considered a security vulnerability or not, I couldn't tell for sure, and in doubt I selected security, but I agree that it's a minor issue anyway. > (Apart from that, I'm only slightly annoyed as I had to learn about > this via MITRE / GNOME Bugzilla instead of a mail from the maintainer > to the security team?) For my defense (as I am the one which followed more or less this bug), I'd claim that a/ this was reported against a GNOME 1 package (and it was later discovered that the GNOME 2 package is affected too) which was in the process of being orphaned, b/ this seemed like a very minor issue, c/ I thought you were tracking "tags + security" bugs, and d/ I didn't want to start bothering the security team for an issue not discussed with upstream and without any patch. Of course, there's also e/ I don't have any security background or training, but that's obvious. My usual way of handling of sec bugs is i/ tag the bug security, connect the relevant CVE ids, upstream bugs, available patches, ii/ talk with upstream, check the affected versions, check the patch causes no regression, check the patch applies everywhere, check the patch fixes the issue iii/ proposed a diff to the security team. I know realize I should have contacted the security team quite immediately, and will do so in the future. I have more important things to track right now that this vulnerability, and I didn't have any response from upstream yet. Cheers, -- Loïc Minier <[EMAIL PROTECTED]>
Bug#329156: gnome-pty-helper foo
Could somebody explain the security implication for me? being able to write arbitrary strings into valid records without overwriting any other data in utmp/wtmp can hardly be classified as a security vulnerability. (Apart from that, I'm only slightly annoyed as I had to learn about this via MITRE / GNOME Bugzilla instead of a mail from the maintainer to the security team?) Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]