Bug#657985: sudo: 1.8 Format String Vulnerability
* Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42: -D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417 This makes current sid package (1.8.3p1-3) safe. Maybe. Maybe not. There are known ways of exploiting string format vulnerabilities even with -D_FORTIFY_SOURCE=2. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
On Thu, 2 Feb 2012, Jakub Wilk wrote:
* Harry Sintonen sinto...@iki.fi, 2012-01-31, 01:42:
-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417
This makes current sid package (1.8.3p1-3) safe.
Maybe. Maybe not. There are known ways of exploiting string format
vulnerabilities even with -D_FORTIFY_SOURCE=2.
If you're referring to the glibc args_type[specs[cnt].width_arg] = PA_INT;
32-bit 0-write to reset the FORTIFY flag, sure it is possible, but rather
painful with ASLR. It is true however that if you get to exploit this
thing you run it locally, making it quite fast to bruteforce (albeit with
some noise in the logs).
Of course I wasn't suggesting that you should skip updating to the fixed
version or anything.
But agreed, safe was perhaps a bit too strong statement. relatively
safe would have been more suitable.
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts
( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
Package: sudo Version: 1.8.3p1-2 Severity: important A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. Please contact me if you need testing and I can help! - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
This issue seems to be: CVE-2012-0809 Gentoo report: https://bugs.gentoo.org/show_bug.cgi?id=401533 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657985: sudo: 1.8 Format String Vulnerability
On Mon, 30 Jan 2012 17:27:17 +0200, Henri Salo he...@nerv.fi wrote: A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. Please contact me if you need testing and I can help! Thanks for the pointer. I'll plan to build and upload 1.8.3p2 tonight. Bdale pgpycvvCWkii2.pgp Description: PGP signature
Bug#657985: sudo: 1.8 Format String Vulnerability
A full-disclosure user reported issue in sudo. Please verify:
http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version
information is correct in this bug-report.
-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417
This makes current sid package (1.8.3p1-3) safe. Any attempt to exploit
the vulnerability via format string (%n) results in:
*** %n in writable segment detected *** and controlled abort.
Relevant fortify code can be found from glibc:
http://pastebin.com/C6jLM8r8
Testing has 1.8.3p1-2 which *is* exploitable (assuming other security
features such as ASLR can be bypassed).
Stable has 1.7.4p4-2.squeeze.2 which doesn't have the -D flag or the
vulnerable code at all, and thus is safe:
sudo: invalid option -- 'D'
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts
( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
