Bug 825328 (CVE-2012-2653)

Summary: CVE-2012-2653 arpwatch: fails to drop supplementary groups
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jsynacek, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:58:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 726759, 828436    
Bug Blocks: 825330    

Description Vincent Danen 2012-05-25 17:23:35 UTC 
As reported on the oss-security mailing list [1] the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid.  It calls initgroups() as:

+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+                                setuid(pw->pw_uid) != 0 ) 

However in this case, the NULL results in group 0 being added to the supplementary groups list.

[1] http://www.openwall.com/lists/oss-security/2012/05/24/12
Comment 2 Vincent Danen 2012-05-25 17:26:38 UTC 
Oh, this does not affect upstream arpwatch.
Comment 3 Vincent Danen 2012-05-25 17:50:39 UTC 
There was an additional mention of a tcpdump patch having this same problem:

http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using:

if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||

(which looks to be upstream-based, and would be ok).
Comment 5 Vincent Danen 2012-06-04 18:03:12 UTC 
Created arpwatch tracking bugs for this issue

Affects: fedora-all [bug 828436]
Comment 7 Fedora Update System 2012-06-20 00:31:32 UTC 
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-20 00:34:22 UTC 
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-20 00:35:26 UTC 
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.