current-users: README: important security fix for -current

Subject: README: important security fix for -current
To: None <current-users@netbsd.org>
From: Jaromir Dolecek <jdolecek@netbsd.org>
List: current-users
Date: 11/13/2002 17:21:48
--ELM735571924-609-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII


Folks,

If you use -current with userland newer than from 2002/08/26, please
update your kernel to most current sources ASAP.

A serious security issue was fixed in sys/kern/exec_elf32.c rev.
1.77. The bug used to allow any local user to run arbitrary code as
root via a dynamic suid/sgid binary.

Kernel passed incorrect information about effective uid/gid to
dynamic programs, and thus dynamic suid/sgid programs failed to
ignore LD_LIBRARY_PATH.

Neither 1.6 branch, nor anything older is affected by this.  static
suid/sgid programs are not affected by this neither. There isn't
any need to recompile userland programs, just update your kernel.

Fixed kernel binary should give this:
> ident /netbsd | grep exec_elf
     $NetBSD: exec_elf32.c,v 1.77 2002/11/13 15:49:44 jdolecek Exp $
     $NetBSD: exec_elf_common.c,v 1.15 2002/05/31 16:49:12 atatat Exp $
>

I'm attaching the patch (difference between rev 1.76 and rev 1.77)
to this e-mail, in case the change wouldn't be available on anoncvs
yet.

Thanks,

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.org/
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-

--ELM735571924-609-0_
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-2
Content-Disposition: attachment; filename=execelf.patch

Index: exec_elf32.c
===================================================================
RCS file: /cvsroot/syssrc/sys/kern/exec_elf32.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -p -r1.76 -r1.77
--- exec_elf32.c	2002/10/05 22:34:05	1.76
+++ exec_elf32.c	2002/11/13 15:49:44	1.77
@@ -126,6 +126,7 @@ ELFNAME(copyargs)(struct proc *p, struct
 	 * linked binaries
 	 */
 	if ((ap = (struct elf_args *)pack->ep_emul_arg)) {
+		struct vattr *vap = pack->ep_vap;
 
 		a->a_type = AT_PHDR;
 		a->a_v = ap->arg_phaddr;
@@ -156,7 +157,10 @@ ELFNAME(copyargs)(struct proc *p, struct
 		a++;
 
 		a->a_type = AT_EUID;
-		a->a_v = p->p_ucred->cr_uid;
+		if (vap->va_mode & S_ISUID)
+			a->a_v = vap->va_uid;
+		else
+			a->a_v = p->p_ucred->cr_uid;
 		a++;
 
 		a->a_type = AT_RUID;
@@ -164,7 +168,10 @@ ELFNAME(copyargs)(struct proc *p, struct
 		a++;
 
 		a->a_type = AT_EGID;
-		a->a_v = p->p_ucred->cr_gid;
+		if (vap->va_mode & S_ISGID)
+			a->a_v = vap->va_gid;
+		else
+			a->a_v = p->p_ucred->cr_gid;
 		a++;
 
 		a->a_type = AT_RGID;

--ELM735571924-609-0_--