Bug 146738 - CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156)
Summary: CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl
Version: 3
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Petr Rockai
QA Contact: David Lawrence
URL:
Whiteboard: impact=important,public=20050201
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-01 03:18 UTC by Josh Bressers
Modified: 2014-01-21 22:51 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-05-03 00:40:34 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2005-02-01 03:18:27 UTC
*** This bug has been split off bug 146737 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31
22:14 -------

The following isuses were reported regarding running setuid perl executables
(I'm attaching the report as a text file as it is long).


buffer overflow caused by very long paths
and a PERLIO_DEBUG file overwrite bug.

The advisory is attachment 110480 [details]
The proposed patch is attachment 110481 [details]

Comment 1 Josh Bressers 2005-02-01 03:18:51 UTC
This issue should also affect FC2.

Comment 2 Josh Bressers 2005-02-01 13:57:22 UTC
CAN-2005-0155 for the privilege escalation in debug mode
CAN-2005-0156 for the buffer overflow

Comment 3 Mark J. Cox 2005-02-03 09:09:08 UTC
removing embargo (public by ubuntu)

Comment 4 Seth Vidal 2005-03-21 00:52:16 UTC
should I cc fedora-legacy folks on this as well for FC1/FC2?




Comment 5 Matthew Miller 2005-03-21 01:19:52 UTC
I think they're already working on it....

https://bugzilla.fedora.us/show_bug.cgi?id=2261

We've seen this exploited in the actual real world (there's easy-exploit code
all over the net); an update should be released as soon as possible.

Comment 6 Matthew Miller 2005-03-22 22:23:28 UTC
Note that this doesn't actually require a perl script to be marked setuid, just
for perl-suidperl to be installed.

http://packetstorm.linuxsecurity.com/0502-exploits/ex_perl.c

Date in the code above: 2005.01.30
Date this bug created:  2005.01.31

Today's date:           2005.03.22 


Comment 8 Matthew Miller 2005-03-29 14:51:37 UTC
Just another ping on this. We're coming up on the two-month mark. I've patched
our systems locally, but I worry for other people and for Fedora as a whole.

Comment 13 Matthew Miller 2005-04-27 12:44:18 UTC
Almost three months now. This is beyond embarrassing.

Comment 14 Petr Rockai 2005-05-02 09:29:25 UTC
As far as i can tell this is fixed in FC3 updates. Maybe Warren wants to 
comment on this? He was about to release another perl update AFAIK. 

Comment 15 Matthew Miller 2005-05-02 12:28:49 UTC
A package which fixes this appeared in the updates tree on Apr. 27, but no
update announcement was sent out. Please, while it's good that the update is
finally there, it's important to send out the notices too.

Note also that when this problem was discovered, Fedora Core 2 was also still
(nominally, at least) maintained (See comment #1.) I'll let you decide if you
feel any responsibility about that. (Now separate Fedora Legacy bug #152845.)


Comment 16 Warren Togami 2005-05-03 00:40:34 UTC
Announcement sent for FC3 announcement.  Please open a new bug for Legacy.


Comment 17 Matthew Miller 2005-05-03 02:49:13 UTC
Thanks Warren. The Fedora Legacy bug already filed: bug #152845. I was just
suggesting that maybe Red Hat folks would consider helping Fedora Legacy put
together FC2 packages given the circumstances in this case.

Comment 18 Warren Togami 2005-05-03 03:12:39 UTC
The harsh reality is that RH engineers always have a huge pileup of unresolved
issues, so the fact that we haven't fixed FC2 is not unusual.  Please handle
this in the community and don't distract the perpetually burnt out engineers
trying to make FC4 suck less.

Comment 19 Warren Togami 2005-05-03 03:13:45 UTC
s/distract/demand more from/

Comment 20 Matthew Miller 2005-05-03 03:42:48 UTC
Believe me, I understand that reality, having just gone through 700 FC2 bugs for
conversion to Fedora Legacy. It just frustrates me that this *actively
exploited* *root compromise* bug was left ignored for so long, and then even
after I gave a heads-up on it to the security team and the issue was
"escalated", it continued to be ignored until, hey, how convenient, Fedora Core
2 is no longer maintained.

This makes me very frustrated about how well allegedly current Fedora Core
releases are supported, LET ALONE what we can do with Legacy with basically *no*
resources. If the general policy of Red Hat is to ignore root compromise bugs
with easy patches until the affected releases are no longer "maintained", the
whole thing is pretty much just a charade.

Michael Tiemann gave a very nice talk about how Fedora fits into the Red Hat
world, and how it's important to still address the "innovators" and "early
adaptors". Making FC4 be very slick is great for the innovators, but ignoring
*current* releases is very, very hard on the early adaptors. This *has* to be
more than just talk, or *we'll* get burned out. If you have a suggestion for how
to "handle this in the community", I'm very willing to listen.


Comment 21 Mark J. Cox 2005-05-03 10:07:57 UTC
Just to note that the Red Hat security response team do track the need to fix
issues that affect currently supported FC releases as well as RHEL releases and
the stats show that on average we actually fix security issues faster in FC
releases, even though there is no SLA for fixing security issues in FC.  We
would not delay a security fix just to wait for some older release to move to
legacy.

Unfortunately, for this flaw, we switched Perl maintainers during the lifetime
of this bug and the new maintainer wanted to gain some confidence in his patches
as he had to change a few things to build it, in addition to the security patch
itself, which added a further delay to the already delayed update.

Comment 22 Matthew Miller 2005-05-03 12:46:30 UTC
I understand that your intentions aren't actually malicious here. However, the
fact remains that the Fedora Legacy project has been left to repair this root
compromise issue which should have been fixed when Fedora Core 2 was being
maintained, SLA or not, and internal maintainer change or not. It seems like it
would be a friendly token  of goodwill to have a little help.

If not, it will be *okay*, because some people are putting in some very good
volunteer effort to pick up the slack. That's pretty much all I have to say in
this bug -- feel free to contact me directly (or in the FL bug). Thanks.


Note You need to log in before you can comment on or make changes to this bug.