Bug 1358625 (CVE-2016-6252)

Summary: CVE-2016-6252 shadow-utils: Incorrect integer handling results in LPE
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dmoppert, pkis, pvrabec, sardella, slawomir, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-25 06:45:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1358629    
Bug Blocks: 1358628    

Description Andrej Nemec 2016-07-21 07:54:28 UTC
An integer overflow vulnerability was found in shadow-utils. Attacker can use this for local privileges escalation.

References:

http://seclists.org/oss-sec/2016/q3/111

CVE assignment:

http://seclists.org/oss-sec/2016/q3/115

Comment 1 Andrej Nemec 2016-07-21 08:00:47 UTC
Created shadow-utils tracking bugs for this issue:

Affects: fedora-all [bug 1358629]

Comment 2 Andrej Nemec 2016-07-25 12:35:54 UTC
Upstream bug:

https://github.com/shadow-maint/shadow/issues/27

Comment 3 Doran Moppert 2016-08-25 05:56:28 UTC
The rhel-5 package shadow-4.0.17 does not include this vulnerability.

rhel-6 and rhel-7 shadow-4.1.15-1 include the getulong() function to which a portion of the upstream patch applies, but it is used much less widely and the idmapping does not exist in this version.  Thus the demonstration from oss-sec using `newuidmap` is not possible.

While the getulong() patch applies to shadow-4.1.15, its use is such that no security flaw exists.  The interface to the kernel through /proc/$$/uid_map which enables the vulnerability in 4.2.1 is not present, and of the remaining uses:

> 0 getdef.c  getdef_ulong 314 if (getulong (d->value, &val) == 0) {
> 1 limits.c  set_umask    135 if ( (getulong (value, &mask) == 0)
> 2 limits.c  check_logins 155 if (getulong (maxlogins, &limit) == 0) {
> 3 limits.c  setup_limits 593 if ( (getulong (cp + 6, &mask) == 0)

These parse strings in /etc/limits and /etc/login.defs, which are under administrator control and cannot be influenced by unprivileged users.

> 4 rlogin.c  do_rlogin    150 if (getulong (cp, &remote_speed) == 0) {

This (rarely used) is parsing terminal speed, and does not present a vulnerability.

> 5 lastlog.c main         228 if (getulong (optarg, &inverse_days) == 0) {
> 6 lastlog.c main         246 if (getulong (optarg, &days) == 0) {

These parse arguments given to /bin/lastlog, which is an unprivileged program - day counts in the billions aren't of interest to lastlog in any case :).