[Touch-packages] [Bug 1673627] Re: dmcrypt-get-device does not check the return values of setuid() or setgid()

Mon, 27 Mar 2017 17:21:07 -0700 

This bug was fixed in the package eject -
2.1.5+deb1+cvs20081104-13.1ubuntu1

---------------
eject (2.1.5+deb1+cvs20081104-13.1ubuntu1) zesty; urgency=medium

  * SECURITY UPDATE: Improper check for dropped privileges (LP: #1673627)
    - dmcrypt-get-device.c: Ensure that setgid() and setuid() were successful
      before continuing
    - CVE-2017-6964

 -- Tyler Hicks <tyhi...@canonical.com>  Mon, 27 Mar 2017 21:21:46 +0000

** Changed in: eject (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to eject in Ubuntu.
https://bugs.launchpad.net/bugs/1673627

Title:
  dmcrypt-get-device does not check the return values of setuid() or
  setgid()

Status in eject package in Ubuntu:
  Fix Released

Bug description:
  Ilja Van Sprundel discovered that dmcrypt-get-device does not properly
  handle errors returned from setuid()/setgid() despite being a setuid-
  root binary. Although it looks to be handling trustworthy input from
  the kernel after the setuid()/setgid() calls, the intent is to be
  parsing the data as a non-root user.

  Here's the original report:

  I noticed that dmcrypt-get-device is suid root. it's source code is 
apparently written at ubuntu (according to the comments)
  The code for which I found at 
http://archive.ubuntu.com/ubuntu/pool/main/e/eject/eject_2.1.5+deb1+cvs20081104-13.1.diff.gz

  which has the following comments: 
  * Opening /dev/mapper/control requires root privileges, therefore this
  * program needs to be installed setuid root. Root privileges are dropped
  * immediately after querying the information from the device mapper. The
  * parsing is done with normal user privileges afterwards.

  The priv dropping happens in dmcrypt-get-device.c and looks as
  follows:

      /* Drop all privileges */
      setgid(getgid());
      setuid(getuid());

  This unfortunately doesn't account for a failed call to setuid(), which would 
then perform the parsing as root. 
  You'll probably want to fix both the call to setgid() and setuid() with 
proper return value checks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to