Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-2653 arpwatch: fails to drop supplementary groups|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||726759, 828436|
Description Vincent Danen 2012-05-25 13:23:35 EDT
As reported on the oss-security mailing list  the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid. It calls initgroups() as: + if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 || + setuid(pw->pw_uid) != 0 ) However in this case, the NULL results in group 0 being added to the supplementary groups list.  http://www.openwall.com/lists/oss-security/2012/05/24/12
Comment 2 Vincent Danen 2012-05-25 13:26:38 EDT
Oh, this does not affect upstream arpwatch.
Comment 3 Vincent Danen 2012-05-25 13:50:39 EDT
There was an additional mention of a tcpdump patch having this same problem: http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using: if (initgroups(pw->pw_name, pw->pw_gid) != 0 || (which looks to be upstream-based, and would be ok).
Comment 5 Vincent Danen 2012-06-04 14:03:12 EDT
Created arpwatch tracking bugs for this issue Affects: fedora-all [bug 828436]
Comment 7 Fedora Update System 2012-06-19 20:31:32 EDT
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-19 20:34:22 EDT
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-19 20:35:26 EDT
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Stefan Cornelius 2012-08-16 06:26:40 EDT
Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.