Bug 903293

Summary: haproxy: Fails to properly drop supplementary groups after setuid / setgid calls
Product: [Fedora] Fedora Reporter: Jan Lieskovsky <jlieskov>
Component: haproxyAssignee: Jeremy Hinegardner <jeremy>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: jeremy, robinlee.sysu, rohara
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.openwall.com/lists/oss-security/2013/01/23/7
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 903295 903301 903303 903306 903307 (view as bug list) Environment:
Last Closed: 2013-02-13 14:56:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 903295, 903301, 903303, 903306, 903307    

Description Jan Lieskovsky 2013-01-23 16:39:16 UTC 
Description of problem:
As noted in bug #894626 and in:
  [1] http://www.openwall.com/lists/oss-security/2013/01/23/7

haproxy previously failed to drop supplementary groups properly when trying to drop root privileges.

By itself this problem is not a security flaw, but still serious enough the upstream fix:
  [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

to be backported into all of the affected versions.

Version-Release number of selected component (if applicable):
haproxy-1.4.22-1.fc16

How reproducible:
Always

Steps to Reproduce:
1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details
  
Actual results:
Supplementary groups are not dropped properly after setuid / setgid calls.

Expected results:
(All) Supplementary groups should be dropped when dropping root privileges.
Comment 1 Fedora End Of Life 2013-02-13 14:56:23 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 2 Fedora Update System 2013-04-03 05:07:50 UTC 
haproxy-1.4.23-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/haproxy-1.4.23-1.fc17