|
Vulnerability userv Affected userv 1.0.0 and prior Description Ian Jackson found following. GNU userv 1.0.0 and earlier versions have a vulnerability where under some conditions some local users may be able carry out unauthorised actions, or (unlikely) be able to take control of service user accounts. Affected versions of userv sometimes make an out-of-bounds array reference in the fd swapping algorithm. The effect of this - if any - on i386 platforms is usually to corrupt the USERV_GROUPS and USERV_GIDS environment variables as passed to child processes, replacing one of the groups with a wrong other group. This means that service programs that use those environment variables (or other information provided by the caller) to make access control decisions may be vulnerable to trickery by some local users. On other platforms other information relied on in the service program may be corrupted. It may even be possible to induce the userv subprocess which later execs the service program to crash or behave maliciously, though this latter is unlikely and would require considerable research to construct an exploit. Access control tests carried out in userv's configuration language are not affected, as they take place before the bug happens. So users who do not configure (or have configured for them) any userv services are not vulnerable, and users who are not configured as callers for any userv services cannot exploit the problem. The bug also happens well after the userv server has given up its root privilege and switched to the service user, so unless you have userv services provided by root which can be called by untrusted users you are not vulnerable. Solution GNU userv 1.0.1 is now available and fixes holes. Apply the patch below and recompile and reinstall. Index: servexec.c =================================================================== RCS file: /usr/src/CVS/userv/servexec.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- servexec.c 2000/03/06 18:14:46 1.13 +++ servexec.c 2000/07/27 00:08:34 1.14 @@ -266,7 +266,8 @@ fdarray[fd].holdfd= -1; } for (fd=0; fd<fdarrayused; fd++) { - if (fdarray[fd].realfd < fdarrayused) fdarray[fdarray[fd].realfd].holdfd= fd; + if (fdarray[fd].realfd < fdarrayused && fdarray[fd].realfd >= 0) + fdarray[fdarray[fd].realfd].holdfd= fd; } for (fd=0; fd<fdarrayused; fd++) { realfd= fdarray[fd].realfd; For Debian Linux: http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.dsc http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.tar.gz http://security.debian.org/dists/stable/updates/binary-alpha/userv_1.0.1.0slink_alpha.deb http://security.debian.org/dists/stable/updates/binary-i386/userv_1.0.1.0slink_i386.deb http://security.debian.org/dists/stable/updates/binary-m68k/userv_1.0.1.0slink_m68k.deb http://security.debian.org/dists/stable/updates/binary-sparc/userv_1.0.1.0slink_sparc.deb http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.dsc http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.tar.gz http://security.debian.org/dists/potato/updates/main/binary-alpha/userv_1.0.1.1potato_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-i386/userv_1.0.1.1potato_i386.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/userv_1.0.1.1potato_sparc.deb