OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: userv security boundary tool 1.0.1 (SECURITY FIX)
From: Ian Jackson (userv-maintCHIARK.GREENEND.ORG.UK)
Date: Wed Jul 26 2000 - 20:30:54 CDT


-----BEGIN PGP SIGNED MESSAGE-----

SUMMARY

This is a combination security advisory and release announcement.

GNU userv 1.0.0 and earlier versions have a vulnerability where under
some conditions some local users may be able carry out unauthorised
actions, or (unlikely) be able to take control of service user
accounts.

GENERAL RELEASE ANNOUNCEMENT

GNU userv 1.0.1 is now available.

userv (pronounced `you-serve') is, in the words of the specification,
      a Unix system facility to allow one program to invoke another
      when only limited trust exists between them.

There is also an associated package userv-utils, which contains a
collection of miscellaneous userv services, which can serve as
examples and programs in their own right. No new general release of
userv-utils is being made at this time; one is expected soon.

For more information, including the on-line specification and the
distribution files, visit
 http://www.chiark.greenend.org.uk/~ian/userv/
userv is also available via the GNU FTP site and its mirrors.
1.0.1 will be available there soon if it isn't already.
Debian GNU/Linux binaries are available on the home FTP site.

If you have queries, please join the userv-discuss mailing list in
preference to mailing the author. Thank you.

MD5 checksums (vanilla source code release):
b5d19fae83609536b590cbb7044ad0d7 userv-1.0.1.tar.gz
9222b6e0539be3e0cb5663e128bf3ca2 userv-1.0.0-1.0.1.diff.gz

MD5 checksums (Debian GNU/Linux prepackaged release):
473a8fe477d20614aad97f538896969a userv_1.0.1.0slink.dsc
40b052547e2ea9fa69a12ee24dfe2af7 userv_1.0.1.0slink.tar.gz
ed9f52af62a96ea9097675bf6f723cb7 userv_1.0.1.0slink_i386.changes
ebf8d6cd431e94b6e731636d1d61440e userv_1.0.1.0slink_i386.deb
1a92258cecdb878ddd2f58cd03bd59b1 userv_1.0.1.1potato.dsc
ddf8df51026a1b880dc95f9ca04a6deb userv_1.0.1.1potato.tar.gz
958f4c8ebe68b4166e994435598b89a0 userv_1.0.1.1potato_i386.changes
82752bd8dcc7ec1e187b6d9cfe7403d0 userv_1.0.1.1potato_i386.deb
(Sources are actually identical. `0slink' is for the current stable,
Debian 2.1, `1potato' is for current frozen and unstable versions.)

Changes since 1.0.0:

  IMPORTANT SECURITY FIX:
  * fd swapping algorithm would sometimes corrupt security-critical data
    used to generate the service program's USERV_ environment variables.
    For details see the 1.0.1 announcement in the userv-announce archives.

  Portability improvement:
  * Look for `md5' as well as `md5sum' - installs easier on BSDs.

DETAILS

Affected versions of userv sometimes make an out-of-bounds array
reference in the fd swapping algorithm. The effect of this - if any -
on i386 platforms is usually to corrupt the USERV_GROUPS and
USERV_GIDS environment variables as passed to child processes,
replacing one of the groups with a wrong other group.

This means that service programs that use those environment variables
(or other information provided by the caller) to make access control
decisions may be vulnerable to trickery by some local users.

On other platforms other information relied on in the service program
may be corrupted. It may even be possible to induce the userv
subprocess which later execs the service program to crash or behave
maliciously, though this latter is unlikely and would require
considerable research to construct an exploit.

Access control tests carried out in userv's configuration language are
not affected, as they take place before the bug happens. So users who
do not configure (or have configured for them) any userv services are
not vulnerable, and users who are not configured as callers for any
userv services cannot exploit the problem.

The bug also happens well after the userv server has given up its root
privilege and switched to the service user, so unless you have userv
services provided by root which can be called by untrusted users you
are not vulnerable.

REMEDY

Apply the patch below and recompile and reinstall, or obtain a fixed
binary from your vendor or distribution maintainer. Binaries for
Debian GNU/Linux i386 are available. See above for details.

PATCH

Given the fact that this is a security advisory a patch is attached:

 Index: servexec.c
 ===================================================================
 RCS file: /usr/src/CVS/userv/servexec.c,v
 retrieving revision 1.13
 retrieving revision 1.14
 diff -u -r1.13 -r1.14
 --- servexec.c 2000/03/06 18:14:46 1.13
 +++ servexec.c 2000/07/27 00:08:34 1.14
  -266,7 +266,8
      fdarray[fd].holdfd= -1;
    }
    for (fd=0; fd<fdarrayused; fd++) {
 - if (fdarray[fd].realfd < fdarrayused) fdarray[fdarray[fd].realfd].holdfd= fd;
 + if (fdarray[fd].realfd < fdarrayused && fdarray[fd].realfd >= 0)
 + fdarray[fdarray[fd].realfd].holdfd= fd;
    }
    for (fd=0; fd<fdarrayused; fd++) {
      realfd= fdarray[fd].realfd;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOX+PicMWjroj9a3bAQHpRgQAmNQMV2rSQOluK7qHziX3Hz4PcFwj7oEc
i8Bf6U8LFWQGl3EwBbQWHYsL6N+zM7b+LjcUUbThF4fBQU5xJjiql031Sh/A+ubM
mKR39xa04spJ+3kwXWU8mxRktqXJDHSp5GYL9Edr5jVAWrQwKkaIs7YvIshJCjpt
hyGIUiz+0kc=
=T0Ft
-----END PGP SIGNATURE-----