Hi guys Well at least this time we spotted it before release ;-) kon2 comes with three(!) new suid-root executables. Let's meet them: 1) "fld". Doubtful whether or not it should be suid-root. In it's suid-root status, it's a security disaster - I found a buffer overflow which will probably allow easy root access. 2) "newvc" - this is doing things like writing entries to /var/run/utmp. This no longer requires root privilege because we have "utempter". 3) "kon" - I haven't looked at this but it's not a small executable!! Proposed solution ================= 1) Ship as little as possible suid-root. We should be _decreasing_ not increasing the amount of suid-root executables, as time goes on. 2) IFF any of the kon2 executables get shipped suid-root, then a) Audit them, and get someone to do it thoroughly! b) Ensure that only a user logged on at the console can execute them b) is very very important because it basically negates any code flaws in these problems being exploited by users without physical access Cheers Chris
This defect is considered MUST-FIX for Winston Beta-5
Won't ship in 8-bit language releases
This defect has been re-classified as MUST-FIX for Winston Gold-release
This should NOT be a must-fix for Winston gold, it's for JAPANESE Winston gold.
agreed.
This defect has been re-classified as SHOULD-FIX for Winston Gold-release OK, we're getting close enough we need to re-focus our attention on this problem, to make sure the Japanese version gets a look-see at the problem.
This defect is considered MUST-FIX for Florence Gold release
newvc needs suid root even if it's utempter-ized cause it touches the hardware and all users need to use it. The buffer overrun potential problem is addressed in a patch. kon2 also touches the hardware. fld will be fixed to be non-fld.
I assume an "everything" install in non-Japanese language won't install the kon2 package?
correct. Only if you check the little box by "support japanese".
Cool. One more point - these are console tools, right? If so, the privileged ones should _refuse_ to run unless run from the console. The same trick as used by Xwrapper/pam_console could be appropriate. . suid-root programs that are console only are a much much smaller risk.
Adrian, have you fixed fld yet?
So, what is the status of this bug? Taking myself off the Cc: list...
No news here? Should this still be marked "Red Hat Beta Program"?
Hm, maybe should just close it; if there are particular issues with kon, they can be separate bugs.