Skip to content

0.9.2 — Security Hardening Release

Latest
Latest

Choose a tag to compare

View all tags
@mcdope mcdope released this 23 May 23:14
· 20 commits to master since this release
0.9.2
d4083e2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Overview

This release focuses on security hardening following an ongoing security audit (issue #55). It addresses 12 security findings, one bug fix, one reliability improvement, and one enhancement. All changes are targeted and narrowly scoped.

Upgrade strongly recommended. Several fixes address issues that could be exploited under specific conditions (see individual entries below).

Security

  • Add O_CLOEXEC to fopen() in pusb_get_process_name/pusb_get_parent_id — prevents file descriptor leakage into child processes (#397, issue #391)
  • Clear heap memory before free in xfree() — prevents sensitive data (credentials, paths) from lingering in freed memory (#374, issue #373)
  • Add O_NOFOLLOW to evdev open() — prevents symlink-following attacks on the event device node (#376, issue #369)
  • Fix TOCTOU race in pad directory creation — closes a race window between stat and mkdir on the OTP pad directory (#381, issue #371)
  • Add O_EXCL to pad temp file creation — prevents a concurrent-update race when writing pad state (#380)
  • Harden pusb_conf_xpath_id_is_safe to allowlist approach — replaces denylist with strict allowlist for XPath identifier validation (#383, issue #370)
  • Replace getenv() with secure_getenv() in PAM context — avoids environment variable injection in privileged PAM context (#384, issue #368)
  • Disable XXE in xmlReadFile() — passes explicit parser flags to block XML External Entity expansion (#385, issue #367)
  • Add compiler and linker hardening flags — enables FORTIFY_SOURCE, stack protector, relro, now, and PIE (#386, issue #366)
  • Fix NULL dereference in pusb_is_loginctl_local() — handles empty Remote field returned by loginctl without crashing (#393)
  • Fix infinite loop DoS in process-tree walk — adds cycle detection to prevent a crafted /proc from causing an infinite loop (#394, issue #388)
  • Fix integer overflow UB in pusb_xpath_get_time() and pusb_xpath_get_int() — adds bounds checks to prevent undefined behavior from malformed config values (#395)

Bug Fixes

  • Per-device config options silently never applied — device-level overrides (e.g. pad_expiration, probe_timeout) were parsed but never used; now correctly applied (#398, issue #390)

Reliability

  • Fix BUFSIZ truncation in pusb_get_process_envvar() — environment variable values longer than BUFSIZ were silently truncated; now uses dynamic allocation (#396)

Enhancements

  • Emit log_error when superuser device filtering removes all devices — previously silent; now logs an explicit error so admins can diagnose misconfigured rules (#399)

Notes

  • Security advisories (GHSAs) for the addressed findings will be published following this release.
  • Full details in the ChangeLog.
Assets 7
Loading