Bug 128039 - CAN-2003-0853/-0854: Vulnerability fix for "ls" not applied
CAN-2003-0853/-0854: Vulnerability fix for "ls" not applied
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: coreutils (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
http://cve.mitre.org/cgi-bin/cvename....
:
Depends On:
Blocks: 156320 209299
  Show dependency treegraph
 
Reported: 2004-07-16 13:27 EDT by Robert Scheck
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-28 13:01:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Diff from coreutils.spec file (1.24 KB, patch)
2004-07-16 13:28 EDT, Robert Scheck
no flags Details | Diff
coreutils-4.5.3-lsw.patch (27.88 KB, patch)
2004-07-16 13:28 EDT, Robert Scheck
no flags Details | Diff

  None (edit)
Description Robert Scheck 2004-07-16 13:27:03 EDT
Description of problem:
If I do "ls -w 100000" as user at an up2date Red Hat Enterprise Linux 
3, I'm able to ddos it with that command...this behaviour refers to 
the following vulnerabilities:

 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0853
 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0854

Version-Release number of selected component (if applicable):
coreutils-4.5.3-26

How reproducible:
Everytime.

Steps to Reproduce:
1. ls -w 100000
2. Get the system freeze or only a high load for a few minutes, if
   you run a very fast computer.
  
Actual results:
Well, I'm able to slow or break down a RHEL3 system as user... ;-)

I attached a patch solving this vulnerability (I'm using the Red Hat 
patch from coreutils-4.5.3-19.0.2 which was used for RHL 7/8/9) and 
also the diff of coreutils's spec file.

Expected results:
"ls -w 100000" working without system freeze or high load ;-)

Additional info:
The fix for CAN-2003-0853/-0854 was done for:
 - RHL 7/8/9: RHSA-2003:309-08 
 - RHEL AS 2.1: RHSA-2003:310-10 (bug #107821)
 - FC1: FEDORA-2004-091 (bug #117310)
but NOT for RHEL 3! Maybe we should do that update very quickly 
(even if it is possible for U3?)...
Comment 1 Robert Scheck 2004-07-16 13:28:10 EDT
Created attachment 101973 [details]
Diff from coreutils.spec file
Comment 2 Robert Scheck 2004-07-16 13:28:33 EDT
Created attachment 101974 [details]
coreutils-4.5.3-lsw.patch
Comment 3 Tim Waugh 2004-07-16 13:31:20 EDT
The attack vector for this vulnerability is wu-ftpd -- we do not ship
wu-ftpd in Red Hat Enterprise Linux 3.
Comment 4 Robert Scheck 2004-07-16 13:35:58 EDT
Well Tim, I'm also able to type without any wu-ftpd at a bash or 
another prompt as user "ls -w 100000"...however it is a issue ;-)
Comment 5 Josh Bressers 2004-07-16 14:44:43 EDT
While this issue does exist, without wu-ftpd it's a non-issue.  It
becomes a simple local DOS, there are countless other ways to cause a
local DOS.
Comment 6 Robert Scheck 2004-07-16 15:14:16 EDT
What's up?! Is it a new Red Hat strategy to do no fixes for local 
DOS? Maybe Red Hat shouldn't fix any local DOS kernel bugs and so 
on, because they are only local and there are so many?! Of course, 
there are lots of ways to DOS a system, but if you don't fix them, 
you never get rid of them - that's logic, isn't it?!

But I still don't want to start any basic discussion about Red Hat - 
and the update support for the products - with you. 

BTW, you even fixed the also "non-affected" and non-supported Fedora 
Core 1 against this issue (#117310)...why not RHEL3, too?

I think, the people buying the expensive RHEL3 and its expensive
update support, have the right to get fixes - even against local DOS
vulnerabilities (otherwise we wouldn't need any local DOS fixes for 
example in the kernel). And I personally can't do more than provide 
pre-champed/ready-to-eat solutions for Red Hat to fix such 
vulnerabilities.
Comment 7 Mark J. Cox (Product Security) 2004-07-16 16:49:40 EDT
With any system where you have local users you have to have some level
of trust for those users.  Users on Unix systems can trivially write
one-line programs designed to use up as much memory as possible or
consume other resources such as disk space or CPU.  Sysadmins who
don't want this to happen can use things like the Linux system
resource limits to try to prevent these flaws, preventing users from
hogging system requirements.  

So if you're already setting resource limits then the flaw in ls won't
let users bypass that.  If you're not already setting resource limits
then users could find many many other ways to have the same impact.

Local DoS flaws in the kernel tend to have a greater impact; the
recent floating point instruction flaw allowed a local user the
ability to completely crash a system, irrespective of the resource
limits or other limits (chroot etc) that might be imposed on them.

So whilst it didn't qualify for a security advisory, it is a bug that
we should fix during future update to coreutils. 
Comment 8 Mark J. Cox (Product Security) 2004-07-16 16:52:06 EDT
(A colleague pointed me at this article that goes into a bit more
detail about setting resource limits with PAM:
http://www.securityfocus.com/infocus/1575 )
Comment 9 Tim Waugh 2004-12-09 07:01:41 EST
Fix applied in CVS and will be included in any future update to coreutils.
Comment 20 Red Hat Bugzilla 2005-09-28 13:01:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-544.html

Note You need to log in before you can comment on or make changes to this bug.