Re: Do people exaggerate in security advisories?

From: Valdis . Kletnieks
Date: Fri Jan 04 2008 - 15:28:23 EST

Next message: Thomas Gleixner: "Re: [PATCH x86] [12/16] Optimize lock prefix switching to run lessfrequently"
Previous message: Udo A. Steinberg: "Re: memory remapping, 4gb memory on 945gt"
In reply to: Manuel Reimer: "Re: Do people exaggerate in security advisories?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 04 Jan 2008 13:21:32 +0100, Manuel Reimer said:

> Is it really possible to get root privileges with this bug or are there
> people who just write "may be used to escalate privileges" near any bug
> which has something to do with "setuid" or "setgid"?

It looks like it really *is* possible to do some damage, if you can make
several things happen:

1) Cause set[ug]id() to fail, possibly using a crafted 'capabilities' list.
2) Get it to invoke a helper that's now running with different permissions than
it was designed to, and feed said helper some carefully crafted malicious or
bogus data.

Given that it is semantically almost identical to the Sendmail-capabilities
bug from a few years ago, which was *certainly* abusable to get root, it would
be foolish to think anything *except* "this sucker should be assumed to be
a root exploit until *proven* otherwise". Anybody who thinks "I don't see
how to exploit it, so it can't be done" is in for a rude surprise....

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Thomas Gleixner: "Re: [PATCH x86] [12/16] Optimize lock prefix switching to run lessfrequently"
Previous message: Udo A. Steinberg: "Re: memory remapping, 4gb memory on 945gt"
In reply to: Manuel Reimer: "Re: Do people exaggerate in security advisories?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]