Package: libgssglue1 Version: 0.3-4 Tags: security Please apply the patch below to ignore the GSSAPI_MECH_CONF environment variable in processes which are SUID/SGID or otherwise privileged (such as mount.nfs). This patch has only been lightly tested. I made some effort to make it compatible with Debian/kfreebsd, but it hasn't been compiled there.
For some background information, see: http://thread.gmane.org/gmane.comp.security.oss.general/5544 We should patch squeeze as well, but the issue does not appear to be exploitable with a stock installation because mount.nfs does not link against libtirpc yet. So fixing this via stable-proposed-updates is preferred. Index: git/src/g_initialize.c =================================================================== --- git.orig/src/g_initialize.c 2012-04-24 12:30:19.522069647 +0200 +++ git/src/g_initialize.c 2012-04-24 12:34:27.526194012 +0200 @@ -34,6 +34,10 @@ #include <ctype.h> #include <errno.h> #include <syslog.h> +#include <unistd.h> +#ifdef linux +#include <sys/prctl.h> +#endif #ifdef USE_SOLARIS_SHARED_LIBRARIES #include <dlfcn.h> @@ -182,6 +186,22 @@ return 0; } +/* Returns true if the process is SUID or SGID. */ +static int +is_privileged(void) +{ + extern int __libc_enable_secure; + if (__libc_enable_secure) { + return 1; + } +#ifdef linux + if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1) { + return 1; + } +#endif + return getuid() != geteuid() || getgid() != getegod(); +} + #ifdef USE_SOLARIS_SHARED_LIBRARIES /* * read the configuration file to find out what mechanisms to @@ -195,7 +215,7 @@ void *dl; gss_mechanism (*sym)(void), mech; - if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL) + if (is_privileged() || (filename = getenv("GSSAPI_MECH_CONF")) == NULL) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { @@ -271,7 +291,7 @@ void *dl; gss_mechanism (*sym)(void), mech; - if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL) + if (is_privileged() || (filename = getenv("GSSAPI_MECH_CONF")) == NULL) filename = MECH_CONF; if ((conffile = fopen(filename, "r")) == NULL) { -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
