Bug#657985: sudo: 1.8 Format String Vulnerability
* Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42: -D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417 This makes current sid package (1.8.3p1-3) safe. Maybe. Maybe not. There are known ways of exploiting string format vulnerabilities even with -D_FORTIFY_SOURCE=2. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
On Thu, 2 Feb 2012, Jakub Wilk wrote: * Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42: -D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417 This makes current sid package (1.8.3p1-3) safe. Maybe. Maybe not. There are known ways of exploiting string format vulnerabilities even with -D_FORTIFY_SOURCE=2. If you're referring to the glibc args_type[specs[cnt].width_arg] = PA_INT; 32-bit 0-write to reset the FORTIFY flag, sure it is possible, but rather painful with ASLR. It is true however that if you get to exploit this thing you run it locally, making it quite fast to bruteforce (albeit with some noise in the logs). Of course I wasn't suggesting that you should skip updating to the fixed version or anything. But agreed, safe was perhaps a bit too strong statement. relatively safe would have been more suitable. Regards, -- l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80? i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts ( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
Package: sudo Version: 1.8.3p1-2 Severity: important A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. Please contact me if you need testing and I can help! - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
This issue seems to be: CVE-2012-0809 Gentoo report: https://bugs.gentoo.org/show_bug.cgi?id=401533 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
On Mon, 30 Jan 2012 17:27:17 +0200, Henri Salo he...@nerv.fi wrote: A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. Please contact me if you need testing and I can help! Thanks for the pointer. I'll plan to build and upload 1.8.3p2 tonight. Bdale pgpycvvCWkii2.pgp Description: PGP signature
Bug#657985: sudo: 1.8 Format String Vulnerability
A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. -D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417 This makes current sid package (1.8.3p1-3) safe. Any attempt to exploit the vulnerability via format string (%n) results in: *** %n in writable segment detected *** and controlled abort. Relevant fortify code can be found from glibc: http://pastebin.com/C6jLM8r8 Testing has 1.8.3p1-2 which *is* exploitable (assuming other security features such as ASLR can be bypassed). Stable has 1.7.4p4-2.squeeze.2 which doesn't have the -D flag or the vulnerable code at all, and thus is safe: sudo: invalid option -- 'D' Regards, -- l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80? i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts ( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org