This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/19785] New: sunrpc: key_call_keyenvoy does not check the return value of setreuid (twice)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 08 Mar 2016 09:21:35 +0000
- Subject: [Bug network/19785] New: sunrpc: key_call_keyenvoy does not check the return value of setreuid (twice)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19785
Bug ID: 19785
Summary: sunrpc: key_call_keyenvoy does not check the return
value of setreuid (twice)
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Target: hurd
Flags: security+
The implementation does this:
__setreuid (euid, ruid);
pid = _openchild (MESSENGER, &fargs, &frslt);
__setreuid (ruid, euid);
It should rather do this:
if (__setreuid (euid, ruid) != 0)
return 0;
pid = _openchild (MESSENGER, &fargs, &frslt);
if (__setreuid (ruid, euid) != 0)
abort ();
Linux defines SO_PASSCRED, so this only affects Hurd.
Technically, this is a security issue because if setreuid fails, the RPC
implementation will authenticate as the wrong user.
--
You are receiving this mail because:
You are on the CC list for the bug.