Bug 1358625 (CVE-2016-6252) - CVE-2016-6252 shadow-utils: Incorrect integer handling results in LPE
Summary: CVE-2016-6252 shadow-utils: Incorrect integer handling results in LPE
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-6252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1358629
Blocks: 1358628
TreeView+ depends on / blocked
 
Reported: 2016-07-21 07:54 UTC by Andrej Nemec
Modified: 2020-02-11 00:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-25 06:45:34 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-07-21 07:54:28 UTC
An integer overflow vulnerability was found in shadow-utils. Attacker can use this for local privileges escalation.

References:

http://seclists.org/oss-sec/2016/q3/111

CVE assignment:

http://seclists.org/oss-sec/2016/q3/115

Comment 1 Andrej Nemec 2016-07-21 08:00:47 UTC
Created shadow-utils tracking bugs for this issue:

Affects: fedora-all [bug 1358629]

Comment 2 Andrej Nemec 2016-07-25 12:35:54 UTC
Upstream bug:

https://github.com/shadow-maint/shadow/issues/27

Comment 3 Doran Moppert 2016-08-25 05:56:28 UTC
The rhel-5 package shadow-4.0.17 does not include this vulnerability.

rhel-6 and rhel-7 shadow-4.1.15-1 include the getulong() function to which a portion of the upstream patch applies, but it is used much less widely and the idmapping does not exist in this version.  Thus the demonstration from oss-sec using `newuidmap` is not possible.

While the getulong() patch applies to shadow-4.1.15, its use is such that no security flaw exists.  The interface to the kernel through /proc/$$/uid_map which enables the vulnerability in 4.2.1 is not present, and of the remaining uses:

> 0 getdef.c  getdef_ulong 314 if (getulong (d->value, &val) == 0) {
> 1 limits.c  set_umask    135 if ( (getulong (value, &mask) == 0)
> 2 limits.c  check_logins 155 if (getulong (maxlogins, &limit) == 0) {
> 3 limits.c  setup_limits 593 if ( (getulong (cp + 6, &mask) == 0)

These parse strings in /etc/limits and /etc/login.defs, which are under administrator control and cannot be influenced by unprivileged users.

> 4 rlogin.c  do_rlogin    150 if (getulong (cp, &remote_speed) == 0) {

This (rarely used) is parsing terminal speed, and does not present a vulnerability.

> 5 lastlog.c main         228 if (getulong (optarg, &inverse_days) == 0) {
> 6 lastlog.c main         246 if (getulong (optarg, &days) == 0) {

These parse arguments given to /bin/lastlog, which is an unprivileged program - day counts in the billions aren't of interest to lastlog in any case :).


Note You need to log in before you can comment on or make changes to this bug.