Re: radvd 1.8.2 released with security fixes

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

On 10/07/2011 04:22 AM, Solar Designer wrote:

> 3) The radvd daemon would not fail on privsep_init() errors, which could
> cause it to run with full root privileges when it should be running as
> an unprivileged user. (CVE-2011-3603)

I think this is not an issue at all:

If you look at the unpatched code, in privsep-linux.c, privsep_init() 
can return -1 at two places.

A. if pipe(pipefds) fails
B. If fork() fails

If either of these functions fails, the end result is that there is no 
fork() and radvd runs as a single process.

Now looking at radvd.c


        /* drop root privileges if requested. */
        if (username) {
                if (!singleprocess) {
                        dlog(LOG_DEBUG, 3, "Initializing privsep");
                        if (privsep_init() < 0)
                                flog(LOG_WARNING, "Failed to initialize 
privsep.");
                }

                if (drop_root_privileges(username) < 0) {
                        perror("drop_root_privileges");
                        exit(1);
                }
        }


After running privsep_init(), drop_root_privileges() is run, so :

a. if privsep_init() failed and drop_root_privileges() did not fail, you 
end up running a single radvd process running as radvd user, which is 
similar to running "radvd --singleprocess"

b. if privsep_init() failed and drop_root_privileges() failed, you bail 
out of the program, similar to what would happen if privsep_init() did 
not fail.

c. if privsep_init() and drop_root_privileges() did not fail, we have 
two radvd process, one running as radvd user and the other is root

So from what i can see, the maximum harm which would occur if 
privsep_init() fails, is that radvd would effectively run in 
--singleprocess mode





--
Huzaifa Sidhpurwala / Red Hat Security Response Team