Bug 12470 - kon2 - potential security disaster for RH7.0
Summary: kon2 - potential security disaster for RH7.0
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kon2
Version: 7.1
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Nakai
QA Contact:
URL:
Whiteboard: Florence Gold
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-06-18 22:31 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-02 22:04:59 UTC
Embargoed:

Attachments (Terms of Use)

Description Chris Evans 2000-06-18 22:31:10 UTC 
Hi guys

Well at least this time we spotted it before release ;-)

kon2 comes with three(!) new suid-root executables. Let's meet them:

1) "fld". Doubtful whether or not it should be suid-root. In it's suid-root
status, it's a security disaster - I found a buffer overflow which will
probably allow easy root access.

2) "newvc" - this is doing things like writing entries to /var/run/utmp.
This no longer requires root privilege because we have "utempter".

3) "kon" - I haven't looked at this but it's not a small executable!!


Proposed solution
=================

1) Ship as little as possible suid-root. We should be _decreasing_ not
increasing the amount of suid-root executables, as time goes on.

2) IFF any of the kon2 executables get shipped suid-root, then
a) Audit them, and get someone to do it thoroughly!
b) Ensure that only a user logged on at the console can execute them

b) is very very important because it basically negates any code flaws in
these problems being exploited by users without physical access

Cheers
Chris
Comment 1 Glen Foster 2000-07-18 18:48:35 UTC 
This defect is considered MUST-FIX for Winston Beta-5
Comment 2 Erik Troan 2000-07-21 16:31:39 UTC 
Won't ship in 8-bit language releases
Comment 3 Glen Foster 2000-07-21 18:06:15 UTC 
This defect has been re-classified as MUST-FIX for Winston Gold-release
Comment 4 Matt Wilson 2000-07-21 19:24:05 UTC 
This should NOT be a must-fix for Winston gold, it's for JAPANESE Winston gold.
Comment 5 Preston Brown 2000-08-15 14:48:06 UTC 
agreed.
Comment 6 Glen Foster 2000-08-16 22:41:10 UTC 
This defect has been re-classified as SHOULD-FIX for Winston Gold-release

OK, we're getting close enough we need to re-focus our attention on this
problem, to make sure the Japanese version gets a look-see at the problem.
Comment 7 Glen Foster 2001-01-11 21:02:57 UTC 
This defect is considered MUST-FIX for Florence Gold release
Comment 8 Eido Inoue 2001-02-06 18:23:30 UTC 
newvc needs suid root even if it's utempter-ized cause it touches the hardware
and all users need to use it. The buffer overrun potential problem is addressed
in a patch.

kon2 also touches the hardware.

fld will be fixed to be non-fld.
Comment 9 Chris Evans 2001-02-06 18:28:55 UTC 
I assume an "everything" install in non-Japanese language
won't install the kon2 package?
Comment 10 Matt Wilson 2001-02-06 18:32:36 UTC 
correct.  Only if you check the little box by "support japanese".
Comment 11 Chris Evans 2001-02-06 18:38:46 UTC 
Cool. One more point - these are console tools, right?
If so, the privileged ones should _refuse_ to run unless run from
the console. The same trick as used by Xwrapper/pam_console
could be appropriate.
.
suid-root programs that are console only are a much much smaller
risk.
Comment 12 Trond Eivind Glomsrxd 2001-03-09 19:29:45 UTC 
Adrian, have you fixed fld yet?
Comment 13 Cristian Gafton 2001-07-26 00:49:55 UTC 
So, what is the status of this bug?

Taking myself off the Cc: list...
Comment 14 Kjartan Maraas 2003-04-02 21:58:28 UTC 
No news here? Should this still be marked "Red Hat Beta Program"?
Comment 15 Bill Nottingham 2003-04-02 22:04:59 UTC 
Hm, maybe should just close it; if there are particular issues with kon, they
can be separate bugs.
Note You need to log in before you can comment on or make changes to this bug.