Import Debian changes 1:4.2-3+deb8u5

shadow (1:4.2-3+deb8u5) jessie-security; urgency=high
.
  * Non-maintainer upload by the ELTS team.
  * SECURITY UPDATE: Crash or buffer overflow
    - debian/patches/CVE-2017-12424.patch: fix buffer overflow if
      NULL line is present in db in lib/commonio.c.
    - CVE-2017-12424
  * SECURITY UPDATE: Access to privileged information
    - debian/patches/CVE-2018-7169.patch: newgidmap:
      enforce setgroups=deny if self-mapping a group in
      src/newgidmap.c.
    - CVE-2018-7169
This commit is contained in:
Utkarsh Gupta
2022-02-01 04:40:19 +05:30
committed by Sylvain Beucler
parent bd62b6b2fb
commit cd15c4e84b
4 changed files with 228 additions and 0 deletions
+15
View File
@@ -1,3 +1,18 @@
shadow (1:4.2-3+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the ELTS team.
* SECURITY UPDATE: Crash or buffer overflow
- debian/patches/CVE-2017-12424.patch: fix buffer overflow if
NULL line is present in db in lib/commonio.c.
- CVE-2017-12424
* SECURITY UPDATE: Access to privileged information
- debian/patches/CVE-2018-7169.patch: newgidmap:
enforce setgroups=deny if self-mapping a group in
src/newgidmap.c.
- CVE-2018-7169
-- Utkarsh Gupta <utkarsh@ubuntu.com> Tue, 01 Feb 2022 04:40:19 +0530
shadow (1:4.2-3+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
+37
View File
@@ -0,0 +1,37 @@
From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 31 Mar 2017 16:25:06 +0200
Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
---
lib/commonio.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -755,16 +755,16 @@
for (ptr = db->head;
(NULL != ptr)
#if KEEP_NIS_AT_END
- && (NULL != ptr->line)
- && ( ('+' != ptr->line[0])
- && ('-' != ptr->line[0]))
+ && ((NULL == ptr->line)
+ || (('+' != ptr->line[0])
+ && ('-' != ptr->line[0])))
#endif
;
ptr = ptr->next) {
n++;
}
#if KEEP_NIS_AT_END
- if ((NULL != ptr) && (NULL != ptr->line)) {
+ if (NULL != ptr) {
nis = ptr;
}
#endif
+174
View File
@@ -0,0 +1,174 @@
From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 15 Feb 2018 23:49:40 +1100
Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -46,32 +46,37 @@
*/
const char *Prog;
-static bool verify_range(struct passwd *pw, struct map_range *range)
+
+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
{
/* An empty range is invalid */
if (range->count == 0)
return false;
- /* Test /etc/subgid */
- if (have_sub_gids(pw->pw_name, range->lower, range->count))
+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
+ *allow_setgroups = true;
return true;
+ }
- /* Allow a process to map it's own gid */
- if ((range->count == 1) && (pw->pw_gid == range->lower))
+ /* Allow a process to map its own gid. */
+ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+ /* noop -- if setgroups is enabled already we won't disable it. */
return true;
+ }
return false;
}
static void verify_ranges(struct passwd *pw, int ranges,
- struct map_range *mappings)
+ struct map_range *mappings, bool *allow_setgroups)
{
struct map_range *mapping;
int idx;
mapping = mappings;
for (idx = 0; idx < ranges; idx++, mapping++) {
- if (!verify_range(pw, mapping)) {
+ if (!verify_range(pw, mapping, allow_setgroups)) {
fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
Prog,
mapping->upper,
@@ -89,6 +94,70 @@
exit(EXIT_FAILURE);
}
+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
+{
+ int setgroups_fd;
+ char *policy, policy_buffer[4096];
+
+ /*
+ * Default is "deny", and any "allow" will out-rank a "deny". We don't
+ * forcefully write an "allow" here because the process we are writing
+ * mappings for may have already set themselves to "deny" (and "allow"
+ * is the default anyway). So allow_setgroups == true is a noop.
+ */
+ policy = "deny\n";
+ if (allow_setgroups)
+ return;
+
+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
+ if (setgroups_fd < 0) {
+ /*
+ * If it's an ENOENT then we are on too old a kernel for the setgroups
+ * code to exist. Emit a warning and bail on this.
+ */
+ if (ENOENT == errno) {
+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
+ goto out;
+ }
+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+ /*
+ * Check whether the policy is already what we want. /proc/self/setgroups
+ * is write-once, so attempting to write after it's already written to will
+ * fail.
+ */
+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ if (!strncmp(policy_buffer, policy, strlen(policy)))
+ goto out;
+
+ /* Write the policy. */
+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
+ Prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ if (dprintf(setgroups_fd, "%s", policy) < 0) {
+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
+ Prog,
+ policy,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+out:
+ close(setgroups_fd);
+}
+
/*
* newgidmap - Set the gid_map for the specified process
*/
@@ -103,6 +172,7 @@
struct stat st;
struct passwd *pw;
int written;
+ bool allow_setgroups = false;
Prog = Basename (argv[0]);
@@ -144,7 +214,7 @@
(unsigned long) getuid ()));
return EXIT_FAILURE;
}
-
+
/* Get the effective uid and effective gid of the target process */
if (fstat(proc_dir_fd, &st) < 0) {
fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
@@ -174,8 +244,9 @@
if (!mappings)
usage();
- verify_ranges(pw, ranges, mappings);
+ verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ write_setgroups(proc_dir_fd, allow_setgroups);
write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
sub_gid_close();
+2
View File
@@ -38,3 +38,5 @@
1000_configure_userns
1010_vietnamese_translation
1020_fix_user_busy_errors
CVE-2017-12424.patch
CVE-2018-7169.patch