Red Hat Bugzilla – Bug 12470
kon2 - potential security disaster for RH7.0
Last modified: 2008-05-01 11:37:56 EDT
Well at least this time we spotted it before release ;-)
kon2 comes with three(!) new suid-root executables. Let's meet them:
1) "fld". Doubtful whether or not it should be suid-root. In it's suid-root
status, it's a security disaster - I found a buffer overflow which will
probably allow easy root access.
2) "newvc" - this is doing things like writing entries to /var/run/utmp.
This no longer requires root privilege because we have "utempter".
3) "kon" - I haven't looked at this but it's not a small executable!!
1) Ship as little as possible suid-root. We should be _decreasing_ not
increasing the amount of suid-root executables, as time goes on.
2) IFF any of the kon2 executables get shipped suid-root, then
a) Audit them, and get someone to do it thoroughly!
b) Ensure that only a user logged on at the console can execute them
b) is very very important because it basically negates any code flaws in
these problems being exploited by users without physical access
This defect is considered MUST-FIX for Winston Beta-5
Won't ship in 8-bit language releases
This defect has been re-classified as MUST-FIX for Winston Gold-release
This should NOT be a must-fix for Winston gold, it's for JAPANESE Winston gold.
This defect has been re-classified as SHOULD-FIX for Winston Gold-release
OK, we're getting close enough we need to re-focus our attention on this
problem, to make sure the Japanese version gets a look-see at the problem.
This defect is considered MUST-FIX for Florence Gold release
newvc needs suid root even if it's utempter-ized cause it touches the hardware
and all users need to use it. The buffer overrun potential problem is addressed
in a patch.
kon2 also touches the hardware.
fld will be fixed to be non-fld.
I assume an "everything" install in non-Japanese language
won't install the kon2 package?
correct. Only if you check the little box by "support japanese".
Cool. One more point - these are console tools, right?
If so, the privileged ones should _refuse_ to run unless run from
the console. The same trick as used by Xwrapper/pam_console
could be appropriate.
suid-root programs that are console only are a much much smaller
Adrian, have you fixed fld yet?
So, what is the status of this bug?
Taking myself off the Cc: list...
No news here? Should this still be marked "Red Hat Beta Program"?
Hm, maybe should just close it; if there are particular issues with kon, they
can be separate bugs.