Bug 2292897 (CVE-2024-6126) - CVE-2024-6126 cockpit: Authenticated user can kill any process when enabling pam_env's user_readenv option
Summary: CVE-2024-6126 cockpit: Authenticated user can kill any process when enabling ...
Keywords:
Status: MODIFIED
Alias: CVE-2024-6126
Deadline: 2024-07-03
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2290859
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-18 14:00 UTC by Avinash Hanwate
Modified: 2024-11-12 09:24 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:9325 0 None None None 2024-11-12 09:24:28 UTC

Description Avinash Hanwate 2024-06-18 14:00:49 UTC 
In the cockpit component pam-ssh-add uses a call to atoi() to convert the environment variable `SSH_AGENT_PID` to a integer. This assumes that this env variable has not been tampered with and it the env variable has been mangled this can lead to an overflow. The solution proposed is to replace it with a call to strtol() with error checking.
Comment 1 Martin Pitt 2024-06-18 15:29:08 UTC 
> if the env variable has been mangled this can lead to an overflow. The solution proposed is to replace it with a call to strtol() with error checking.

Note: This is *not at all* the problem/solution. This was an initial misunderstanding/misreporting. The subject describes it better. See #2290859 for details.
Comment 2 Martin Pitt 2024-07-03 09:00:16 UTC 
The embargo got lifted. @ahanwate can you please remove the "security" group from #2290859 ? I am unable to do this myself. The bug should become public now. Thanks!
Comment 4 errata-xmlrpc 2024-11-12 09:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9325 https://access.redhat.com/errata/RHSA-2024:9325
Note You need to log in before you can comment on or make changes to this bug.