This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug network/19785] New: sunrpc: key_call_keyenvoy does not check the return value of setreuid (twice)

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 08 Mar 2016 09:21:35 +0000
Subject: [Bug network/19785] New: sunrpc: key_call_keyenvoy does not check the return value of setreuid (twice)
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19785

            Bug ID: 19785
           Summary: sunrpc: key_call_keyenvoy does not check the return
                    value of setreuid (twice)
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
            Target: hurd
             Flags: security+

The implementation does this:

  __setreuid (euid, ruid);
  pid = _openchild (MESSENGER, &fargs, &frslt);
  __setreuid (ruid, euid);

It should rather do this:

  if (__setreuid (euid, ruid) != 0)
    return 0;
  pid = _openchild (MESSENGER, &fargs, &frslt);
  if (__setreuid (ruid, euid) != 0)
    abort ();

Linux defines SO_PASSCRED, so this only affects Hurd.

Technically, this is a security issue because if setreuid fails, the RPC
implementation will authenticate as the wrong user.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]