Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack overflows in nss_mymachines (CVE-2015-7510) #2002

Closed
fweimer opened this issue Nov 23, 2015 · 4 comments
Closed

Stack overflows in nss_mymachines (CVE-2015-7510) #2002

fweimer opened this issue Nov 23, 2015 · 4 comments
Labels
bug 🐛 Programming errors, that need preferential fixing security

Comments

@fweimer
Copy link

fweimer commented Nov 23, 2015

The getpwnam and getgrnam implementations in nss_mymachines have stack overflows due to an unconstrained alloca call (hidden behind strndupa). Example for getpwnam:

[fweimer@localhost ~]$ grep mymachines /etc/nsswitch.conf
passwd: files sss mymachines
group: files sss mymachines
hosts: files dns myhostname mymachines
[fweimer@localhost ~]$ python3 -c "import pwd; pwd.getpwnam('vu-' + 'X' * (16 * 1024 * 1024) + '-1')"
Segmentation fault (core dumped)

This has been assigned CVE-2015-7510 for tracking purposes.

keszybz added a commit to keszybz/systemd that referenced this issue Nov 23, 2015
@keszybz keszybz added bug 🐛 Programming errors, that need preferential fixing security labels Nov 23, 2015
@poettering
Copy link
Member

getpwnam() is not a security boundary, hence why is this a security issue? Sure, we should validate this here, but I fail to see why this a security problem?

@poettering
Copy link
Member

Anyway, fixed by #2006.

@fweimer
Copy link
Author

fweimer commented Nov 23, 2015

Of course getpwnam is a security boundary. Network services use it to locate user information. Many local SUID programs (such as su) require it as well. Whether this is exploitable for anything but a crash is doubtful, but it is difficult to be certain.

Thanks for fixing it.

@keszybz
Copy link
Member

keszybz commented Nov 23, 2015

Thanks for the bug report.

@keszybz keszybz closed this as completed Nov 23, 2015
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Jan 29, 2016
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Feb 12, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Mar 18, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Apr 4, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Apr 5, 2016
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Apr 14, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue May 11, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue May 27, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Jun 1, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Jun 17, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
fbuihuu pushed a commit to openSUSE/systemd that referenced this issue Aug 16, 2016
systemd/systemd#2002
(cherry picked from commit cb31827)

[ tblume: fixes boo#956712 ]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Programming errors, that need preferential fixing security
Development

No branches or pull requests

3 participants