Subject: bin/2646: eeprom: another insecure kvm program
To: None <gnats-bugs@NetBSD.ORG>
From: Mike Grupenhoff <kashmir@vanquish.umiacs.umd.edu>
List: netbsd-bugs
Date: 07/20/1996 17:28:35
>Number: 2646
>Category: bin
>Synopsis: eeprom: another insecure kvm program
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jul 20 17:50:01 1996
>Last-Modified:
>Originator: Mike Grupenhoff
>Organization:
foo
>Release: 1.2_BETA
>Environment:
System: NetBSD vanquish.umiacs.umd.edu 1.2_BETA NetBSD 1.2_BETA (VANQUISH) #6: Thu Jul 18 17:06:14 EDT 1996 beal@vanquish.umiacs.umd.edu:/usr/src/sys/arch/sparc/compile/VANQUISH sparc
>Description:
/usr/sbin/eeprom is another kvm prog that doesn't discard setgid
perms when an alternate kernel is specified.
>How-To-Repeat:
eeprom -N bogus_kernel .....
>Fix:
patch for /usr/src/usr.sbin/eeprom/main.c:
--- main.c 1996/07/20 21:21:46 1.1
+++ main.c 1996/07/20 21:21:49
@@ -160,6 +160,12 @@
argv += optind;
#ifdef __sparc__
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (system != NULL)
+ setgid(getgid());
if (getcputype() != CPU_SUN4)
use_openprom = 1;
#endif /* __sparc__ */
>Audit-Trail:
>Unformatted: