Bug 128039 - CAN-2003-0853/-0854: Vulnerability fix for "ls" not applied
Summary: CAN-2003-0853/-0854: Vulnerability fix for "ls" not applied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: coreutils
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Depends On:
Blocks: 156320 209299
TreeView+ depends on / blocked
 
Reported: 2004-07-16 17:27 UTC by Robert Scheck
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHBA-2005-544
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-28 17:01:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Diff from coreutils.spec file (1.24 KB, patch)
2004-07-16 17:28 UTC, Robert Scheck 		no flags Details | Diff
coreutils-4.5.3-lsw.patch (27.88 KB, patch)
2004-07-16 17:28 UTC, Robert Scheck 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:544 0 qe-ready SHIPPED_LIVE coreutils bug fix update 2005-09-28 04:00:00 UTC

Description Robert Scheck 2004-07-16 17:27:03 UTC 
Description of problem:
If I do "ls -w 100000" as user at an up2date Red Hat Enterprise Linux 
3, I'm able to ddos it with that command...this behaviour refers to 
the following vulnerabilities:

 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0853
 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0854

Version-Release number of selected component (if applicable):
coreutils-4.5.3-26

How reproducible:
Everytime.

Steps to Reproduce:
1. ls -w 100000
2. Get the system freeze or only a high load for a few minutes, if
   you run a very fast computer.
  
Actual results:
Well, I'm able to slow or break down a RHEL3 system as user... ;-)

I attached a patch solving this vulnerability (I'm using the Red Hat 
patch from coreutils-4.5.3-19.0.2 which was used for RHL 7/8/9) and 
also the diff of coreutils's spec file.

Expected results:
"ls -w 100000" working without system freeze or high load ;-)

Additional info:
The fix for CAN-2003-0853/-0854 was done for:
 - RHL 7/8/9: RHSA-2003:309-08 
 - RHEL AS 2.1: RHSA-2003:310-10 (bug #107821)
 - FC1: FEDORA-2004-091 (bug #117310)
but NOT for RHEL 3! Maybe we should do that update very quickly 
(even if it is possible for U3?)...
Comment 1 Robert Scheck 2004-07-16 17:28:10 UTC 
Created attachment 101973 [details]
Diff from coreutils.spec file
Comment 2 Robert Scheck 2004-07-16 17:28:33 UTC 
Created attachment 101974 [details]
coreutils-4.5.3-lsw.patch
Comment 3 Tim Waugh 2004-07-16 17:31:20 UTC 
The attack vector for this vulnerability is wu-ftpd -- we do not ship
wu-ftpd in Red Hat Enterprise Linux 3.
Comment 4 Robert Scheck 2004-07-16 17:35:58 UTC 
Well Tim, I'm also able to type without any wu-ftpd at a bash or 
another prompt as user "ls -w 100000"...however it is a issue ;-)
Comment 5 Josh Bressers 2004-07-16 18:44:43 UTC 
While this issue does exist, without wu-ftpd it's a non-issue.  It
becomes a simple local DOS, there are countless other ways to cause a
local DOS.
Comment 6 Robert Scheck 2004-07-16 19:14:16 UTC 
What's up?! Is it a new Red Hat strategy to do no fixes for local 
DOS? Maybe Red Hat shouldn't fix any local DOS kernel bugs and so 
on, because they are only local and there are so many?! Of course, 
there are lots of ways to DOS a system, but if you don't fix them, 
you never get rid of them - that's logic, isn't it?!

But I still don't want to start any basic discussion about Red Hat - 
and the update support for the products - with you. 

BTW, you even fixed the also "non-affected" and non-supported Fedora 
Core 1 against this issue (#117310)...why not RHEL3, too?

I think, the people buying the expensive RHEL3 and its expensive
update support, have the right to get fixes - even against local DOS
vulnerabilities (otherwise we wouldn't need any local DOS fixes for 
example in the kernel). And I personally can't do more than provide 
pre-champed/ready-to-eat solutions for Red Hat to fix such 
vulnerabilities.
Comment 7 Mark J. Cox 2004-07-16 20:49:40 UTC 
With any system where you have local users you have to have some level
of trust for those users.  Users on Unix systems can trivially write
one-line programs designed to use up as much memory as possible or
consume other resources such as disk space or CPU.  Sysadmins who
don't want this to happen can use things like the Linux system
resource limits to try to prevent these flaws, preventing users from
hogging system requirements.  

So if you're already setting resource limits then the flaw in ls won't
let users bypass that.  If you're not already setting resource limits
then users could find many many other ways to have the same impact.

Local DoS flaws in the kernel tend to have a greater impact; the
recent floating point instruction flaw allowed a local user the
ability to completely crash a system, irrespective of the resource
limits or other limits (chroot etc) that might be imposed on them.

So whilst it didn't qualify for a security advisory, it is a bug that
we should fix during future update to coreutils.
Comment 8 Mark J. Cox 2004-07-16 20:52:06 UTC 
(A colleague pointed me at this article that goes into a bit more
detail about setting resource limits with PAM:
http://www.securityfocus.com/infocus/1575 )
Comment 9 Tim Waugh 2004-12-09 12:01:41 UTC 
Fix applied in CVS and will be included in any future update to coreutils.
Comment 20 Red Hat Bugzilla 2005-09-28 17:01:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-544.html
Note You need to log in before you can comment on or make changes to this bug.