[Buildroot] [PATCH 2/2] openvmtools: add patch to defend from lsb path walking attack
Romain Naour
romain.naour at openwide.fr
Sun Mar 8 21:24:04 UTC 2015
Hi Karoly,
Le 25/02/2015 23:14, Karoly Kasza a écrit :
> Add patch to defend lsb from path walking attack.
> Originally from Debian.
>
> Signed-off-by: Karoly Kasza <kaszak at gmail.com>
> ---
> package/openvmtools/0009-lsb.patch | 106 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 106 insertions(+)
> create mode 100644 package/openvmtools/0009-lsb.patch
>
> diff --git a/package/openvmtools/0009-lsb.patch b/package/openvmtools/0009-lsb.patch
> new file mode 100644
> index 0000000..54c3232
> --- /dev/null
> +++ b/package/openvmtools/0009-lsb.patch
> @@ -0,0 +1,106 @@
> +Upsteam Debian patch to defend openvmtools against path walking.
> +
> +Original description:
> +
> +From 3a9f2297a82b9c109e894b5f8ea17753e68830ac Mon Sep 17 00:00:00 2001
> +From: "VMware, Inc" <>
> +Date: Tue, 17 Sep 2013 20:39:34 -0700
> +Subject: [PATCH] Harden HostinfoOSData against $PATH attacks.
> +
> +We are doing a popen("lsb_release... ") when attempting to
> +determine host details in hostinfoPosix.c. Using popen means that
> +$PATH is walked when looking for the lsb_release binary, and that
> +may give an attacker the ability to run a malicious version of
> +lsb_release.
> +
> +This change does two things,
> +
> +a) Hard code the path to lsb_release. I've searched around
> + the web and I believe the path is always "/usr/bin/lsb_release"
> + so let's not leave this up to chance.
> +
> +b) Stop running HostinfoGetCmdOutput with elevated privileges. Drop
> + to non-root when possible. If someone sneaks in a new call to
> + HostinfoGetCmdOutput and doesn't use a full path, then we will
> + hopefully avoid a firedrill. I'm only applying this to Linux
> + because the Fusion build barfed when I tried to compile with
> + without the vmx86_linux.
> +
> +I think either (a) or (b) would be enough but I'm doing both,
> +because each individually is correct. Also note that in the blog
> +post by Tavis Ormandy calls out doing (a) as not enough,
> + http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
> +His example uses a bash feature that allows functions to be
> +exported. I haven't been able to get that to work on my Ubuntu
> +machine.
> +
> +To test I'm manually run Linux WS and Fusion and verified that
> +the logs look correct.
> +
> +Signed-off-by: Dmitry Torokhov <dtor at vmware.com>
> +
> +Signed-off-by: Karoly Kasza <kaszak at gmail.com>
> +
> +---
> + open-vm-tools/lib/misc/hostinfoPosix.c | 23 +++++++++++++++++++----
> + 1 file changed, 19 insertions(+), 4 deletions(-)
> +
> +--- a/lib/misc/hostinfoPosix.c
> ++++ b/lib/misc/hostinfoPosix.c
> +@@ -800,17 +800,27 @@ out:
> + static char *
> + HostinfoGetCmdOutput(const char *cmd) // IN:
> + {
> ++ Bool isSuperUser = FALSE;
> + DynBuf db;
> + FILE *stream;
> + char *out = NULL;
> +
> ++ /*
> ++ * Attempt to lower privs, because we use popen and an attacker
> ++ * may control $PATH.
> ++ */
> ++ if (vmx86_linux && Id_IsSuperUser()) {
> ++ Id_EndSuperUser(getuid());
> ++ isSuperUser = TRUE;
> ++ }
> ++
> + DynBuf_Init(&db);
> +
> + stream = Posix_Popen(cmd, "r");
> + if (stream == NULL) {
> + Warning("Unable to get output of command \"%s\"\n", cmd);
> +
> +- return NULL;
> ++ goto exit;
> + }
> +
> + for (;;) {
> +@@ -844,11 +854,16 @@ HostinfoGetCmdOutput(const char *cmd) /
> + if (DynBuf_Get(&db)) {
> + out = (char *) DynBuf_AllocGet(&db);
> + }
> +- closeIt:
> +- DynBuf_Destroy(&db);
> +
> ++ closeIt:
> + pclose(stream);
> +
> ++ exit:
> ++ DynBuf_Destroy(&db);
> ++
> ++ if (isSuperUser) {
> ++ Id_BeginSuperUser();
> ++ }
> + return out;
> + }
> +
> +@@ -967,7 +982,7 @@ HostinfoOSData(void)
> + * Try to get OS detailed information from the lsb_release command.
> + */
> +
> +- lsbOutput = HostinfoGetCmdOutput("lsb_release -sd 2>/dev/null");
> ++ lsbOutput = HostinfoGetCmdOutput("/usr/bin/lsb_release -sd 2>/dev/null");
> + if (!lsbOutput) {
> + int i;
> +
>
Although we don't have a lsb package in Buildroot, this patch looks good.
Reviewed-by: Romain Naour <romain.naour at openwide.fr>
Best regards,
Romain
More information about the buildroot
mailing list