Bug 825328 (CVE-2012-2653)

Summary: CVE-2012-2653 arpwatch: fails to drop supplementary groups
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jsynacek, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120524,reported=20120524,source=oss-security,cvss2=3.3/AV:A/AC:L/Au:N/C:N/I:P/A:N,rhel-6/arpwatch=defer,fedora-all/arpwatch=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 726759, 828436    
Bug Blocks: 825330    

Description Vincent Danen 2012-05-25 13:23:35 EDT
As reported on the oss-security mailing list [1] the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid.  It calls initgroups() as:

+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+                                setuid(pw->pw_uid) != 0 ) 

However in this case, the NULL results in group 0 being added to the supplementary groups list.

[1] http://www.openwall.com/lists/oss-security/2012/05/24/12
Comment 2 Vincent Danen 2012-05-25 13:26:38 EDT
Oh, this does not affect upstream arpwatch.
Comment 3 Vincent Danen 2012-05-25 13:50:39 EDT
There was an additional mention of a tcpdump patch having this same problem:

http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using:

if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||

(which looks to be upstream-based, and would be ok).
Comment 5 Vincent Danen 2012-06-04 14:03:12 EDT
Created arpwatch tracking bugs for this issue

Affects: fedora-all [bug 828436]
Comment 7 Fedora Update System 2012-06-19 20:31:32 EDT
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-19 20:34:22 EDT
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-19 20:35:26 EDT
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Stefan Cornelius 2012-08-16 06:26:40 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.