Bug#657985: sudo: 1.8 Format String Vulnerability

2012-02-02 Thread Jakub Wilk

* Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42:
-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417


This makes current sid package (1.8.3p1-3) safe.


Maybe. Maybe not. There are known ways of exploiting string format 
vulnerabilities even with -D_FORTIFY_SOURCE=2.


--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#657985: sudo: 1.8 Format String Vulnerability

2012-02-02 Thread Harry Sintonen

On Thu, 2 Feb 2012, Jakub Wilk wrote:


* Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42:
-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417


This makes current sid package (1.8.3p1-3) safe.


Maybe. Maybe not. There are known ways of exploiting string format 
vulnerabilities even with -D_FORTIFY_SOURCE=2.


If you're referring to the glibc args_type[specs[cnt].width_arg] = PA_INT; 
32-bit 0-write to reset the FORTIFY flag, sure it is possible, but rather 
painful with ASLR. It is true however that if you get to exploit this 
thing you run it locally, making it quite fast to bruteforce (albeit with 
some noise in the logs).


Of course I wasn't suggesting that you should skip updating to the fixed 
version or anything.


But agreed, safe was perhaps a bit too strong statement. relatively 
safe would have been more suitable.



  Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts
(  Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);}



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#657985: sudo: 1.8 Format String Vulnerability

2012-01-30 Thread Henri Salo
Package: sudo
Version: 1.8.3p1-2
Severity: important

A full-disclosure user reported issue in sudo. Please verify: 
http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information 
is correct in this bug-report. Please contact me if you need testing and I can 
help!

- Henri Salo



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#657985: sudo: 1.8 Format String Vulnerability

2012-01-30 Thread Henri Salo
This issue seems to be: CVE-2012-0809
Gentoo report: https://bugs.gentoo.org/show_bug.cgi?id=401533

- Henri Salo



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Bug#657985: sudo: 1.8 Format String Vulnerability

2012-01-30 Thread Bdale Garbee
On Mon, 30 Jan 2012 17:27:17 +0200, Henri Salo he...@nerv.fi wrote:
 A full-disclosure user reported issue in sudo. Please verify:
 http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version
 information is correct in this bug-report. Please contact me if you
 need testing and I can help! 

Thanks for the pointer.  I'll plan to build and upload 1.8.3p2 tonight.

Bdale


pgpycvvCWkii2.pgp
Description: PGP signature


Bug#657985: sudo: 1.8 Format String Vulnerability

2012-01-30 Thread Harry Sintonen

A full-disclosure user reported issue in sudo. Please verify:
http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version
information is correct in this bug-report.


-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417


This makes current sid package (1.8.3p1-3) safe. Any attempt to exploit 
the vulnerability via format string (%n) results in:

*** %n in writable segment detected *** and controlled abort.

Relevant fortify code can be found from glibc: 
http://pastebin.com/C6jLM8r8



Testing has 1.8.3p1-2 which *is* exploitable (assuming other security 
features such as ASLR can be bypassed).



Stable has 1.7.4p4-2.squeeze.2 which doesn't have the -D flag or the 
vulnerable code at all, and thus is safe:


sudo: invalid option -- 'D'


  Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts
(  Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);}



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org