This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 825328 - (CVE-2012-2653) CVE-2012-2653 arpwatch: fails to drop supplementary groups
CVE-2012-2653 arpwatch: fails to drop supplementary groups
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120524,repor...
: Security
Depends On: 726759 828436
Blocks: 825330
  Show dependency treegraph
 
Reported: 2012-05-25 13:23 EDT by Vincent Danen
Modified: 2012-08-16 06:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-05-25 13:23:35 EDT
As reported on the oss-security mailing list [1] the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid.  It calls initgroups() as:

+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+                                setuid(pw->pw_uid) != 0 ) 

However in this case, the NULL results in group 0 being added to the supplementary groups list.

[1] http://www.openwall.com/lists/oss-security/2012/05/24/12
Comment 2 Vincent Danen 2012-05-25 13:26:38 EDT
Oh, this does not affect upstream arpwatch.
Comment 3 Vincent Danen 2012-05-25 13:50:39 EDT
There was an additional mention of a tcpdump patch having this same problem:

http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using:

if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||

(which looks to be upstream-based, and would be ok).
Comment 5 Vincent Danen 2012-06-04 14:03:12 EDT
Created arpwatch tracking bugs for this issue

Affects: fedora-all [bug 828436]
Comment 7 Fedora Update System 2012-06-19 20:31:32 EDT
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-19 20:34:22 EDT
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-19 20:35:26 EDT
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Stefan Cornelius 2012-08-16 06:26:40 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.