Red Hat Bugzilla – Bug 146738
CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156)
Last modified: 2014-01-21 17:51:15 EST
*** This bug has been split off bug 146737 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31 22:14 ------- The following isuses were reported regarding running setuid perl executables (I'm attaching the report as a text file as it is long). buffer overflow caused by very long paths and a PERLIO_DEBUG file overwrite bug. The advisory is attachment 110480 [details] The proposed patch is attachment 110481 [details]
This issue should also affect FC2.
CAN-2005-0155 for the privilege escalation in debug mode CAN-2005-0156 for the buffer overflow
removing embargo (public by ubuntu)
should I cc fedora-legacy folks on this as well for FC1/FC2?
I think they're already working on it.... https://bugzilla.fedora.us/show_bug.cgi?id=2261 We've seen this exploited in the actual real world (there's easy-exploit code all over the net); an update should be released as soon as possible.
Note that this doesn't actually require a perl script to be marked setuid, just for perl-suidperl to be installed. http://packetstorm.linuxsecurity.com/0502-exploits/ex_perl.c Date in the code above: 2005.01.30 Date this bug created: 2005.01.31 Today's date: 2005.03.22
Just another ping on this. We're coming up on the two-month mark. I've patched our systems locally, but I worry for other people and for Fedora as a whole.
Almost three months now. This is beyond embarrassing.
As far as i can tell this is fixed in FC3 updates. Maybe Warren wants to comment on this? He was about to release another perl update AFAIK.
A package which fixes this appeared in the updates tree on Apr. 27, but no update announcement was sent out. Please, while it's good that the update is finally there, it's important to send out the notices too. Note also that when this problem was discovered, Fedora Core 2 was also still (nominally, at least) maintained (See comment #1.) I'll let you decide if you feel any responsibility about that. (Now separate Fedora Legacy bug #152845.)
Announcement sent for FC3 announcement. Please open a new bug for Legacy.
Thanks Warren. The Fedora Legacy bug already filed: bug #152845. I was just suggesting that maybe Red Hat folks would consider helping Fedora Legacy put together FC2 packages given the circumstances in this case.
The harsh reality is that RH engineers always have a huge pileup of unresolved issues, so the fact that we haven't fixed FC2 is not unusual. Please handle this in the community and don't distract the perpetually burnt out engineers trying to make FC4 suck less.
s/distract/demand more from/
Believe me, I understand that reality, having just gone through 700 FC2 bugs for conversion to Fedora Legacy. It just frustrates me that this *actively exploited* *root compromise* bug was left ignored for so long, and then even after I gave a heads-up on it to the security team and the issue was "escalated", it continued to be ignored until, hey, how convenient, Fedora Core 2 is no longer maintained. This makes me very frustrated about how well allegedly current Fedora Core releases are supported, LET ALONE what we can do with Legacy with basically *no* resources. If the general policy of Red Hat is to ignore root compromise bugs with easy patches until the affected releases are no longer "maintained", the whole thing is pretty much just a charade. Michael Tiemann gave a very nice talk about how Fedora fits into the Red Hat world, and how it's important to still address the "innovators" and "early adaptors". Making FC4 be very slick is great for the innovators, but ignoring *current* releases is very, very hard on the early adaptors. This *has* to be more than just talk, or *we'll* get burned out. If you have a suggestion for how to "handle this in the community", I'm very willing to listen.
Just to note that the Red Hat security response team do track the need to fix issues that affect currently supported FC releases as well as RHEL releases and the stats show that on average we actually fix security issues faster in FC releases, even though there is no SLA for fixing security issues in FC. We would not delay a security fix just to wait for some older release to move to legacy. Unfortunately, for this flaw, we switched Perl maintainers during the lifetime of this bug and the new maintainer wanted to gain some confidence in his patches as he had to change a few things to build it, in addition to the security patch itself, which added a further delay to the already delayed update.
I understand that your intentions aren't actually malicious here. However, the fact remains that the Fedora Legacy project has been left to repair this root compromise issue which should have been fixed when Fedora Core 2 was being maintained, SLA or not, and internal maintainer change or not. It seems like it would be a friendly token of goodwill to have a little help. If not, it will be *okay*, because some people are putting in some very good volunteer effort to pick up the slack. That's pretty much all I have to say in this bug -- feel free to contact me directly (or in the FL bug). Thanks.