Red Hat Bugzilla – Bug 825328
CVE-2012-2653 arpwatch: fails to drop supplementary groups
Last modified: 2012-08-16 06:26:40 EDT
As reported on the oss-security mailing list  the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid. It calls initgroups() as:
+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+ setuid(pw->pw_uid) != 0 )
However in this case, the NULL results in group 0 being added to the supplementary groups list.
Oh, this does not affect upstream arpwatch.
There was an additional mention of a tcpdump patch having this same problem:
http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using:
if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
(which looks to be upstream-based, and would be ok).
Created arpwatch tracking bugs for this issue
Affects: fedora-all [bug 828436]
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.