Gentoo Archives: gentoo-dev

From: Ben Lutgens <blutgens@×××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Fwd: xinetd 2.3.0 audit status
Date: Thu, 30 Aug 2001 09:09:38
1 This message I got from bugtraq this morning, I've updated sys-apps/xinetd to 2.3.3
2 this morning at 10:09 CST expect the update to show up on rsync within the hour.
3 I'd advise you all to upgrade once you've read the enclosed mail.
6 ----- Forwarded message from Solar Designer <solar@××××××××.com> -----
8 From: Solar Designer <solar@××××××××.com>
9 Message-ID: <20010830054009.A31413@××××××××.com>
10 Date: Thu, 30 Aug 2001 05:40:09 +0400
11 Cc: security-audit@××××××××××××××××.uk
12 To: bugtraq@×××××××××××××.com
13 Subject: xinetd 2.3.0 audit status
14 User-Agent: Mutt/1.2.5i
16 Hi,
18 As some of you may know, I've performed an audit of the xinetd 2.3.0
19 source code for certain classes of vulnerabilities. The audit has
20 resulted in a significant number of fixes (many are for non-security
21 issues). The patch was over 100 KB large and got incorporated into
22 xinetd starting with 2.3.1. There were, however, certain issues with
23 patch merging, and the version of xinetd which finally has all of the
24 fixes (plus some more, by other people) is 2.3.3.
26 It is important to understand that no audit is a complete guarantee,
27 and that the audit I've performed covered only a subset of possible
28 problems as listed in AUDIT (now included with xinetd itself and also
29 at the end of this posting). The USERID and RECORD features remain
30 dangerous: the code to handle them is overly privileged. Packagers
31 should make sure these are disabled by default.
33 The worst known security problem with 2.3.0 is that it turned out to
34 not fully fix the string handling vulnerability previously discovered
35 by Sebastian Krahmer of SuSE Security Team. A single NUL byte could
36 still be written beyond the intended area. This kind of a flaw has
37 previously been shown to be exploitable in at least some cases with
38 the help of frame pointers (Olaf Kirch, 1998, "The poisoned NUL byte").
39 Sebastian's patch didn't have the bug, so the SuSE xinetd updates are
40 likely not affected by this.
42 --- xinetd-2.3.*/AUDIT
43 This is the xinetd-2.3.0 audit status. The audit has been performed
44 in order to make the Owl ( xinetd package
45 reasonably secure and of course with the hope that others will find
46 the results and patches useful as well.
48 Much of xinetd's logic is left unaudited (other than for generic bug
49 classes listed below). In particular, this applies to all network
50 access control checks.
52 To summarize the results, xinetd may be reasonably safe to use with
53 these patches, but the code remains far from clean and certain bugs
54 are there by design.
56 The format of this list is one item per line, with subitems indented.
57 If a line doesn't start with a '+', that item hasn't been completed
58 (audited and/or patched).
60 None of the PATCH'es are a part of xinetd-2.3.0; they will be in the
61 Owl package and hopefully will get incorporated into future versions
62 of xinetd.
64 --
65 Solar Designer <solar@××××××××.com>
67 +BUGS strx_* functions (danger: don't always NUL-terminate)
68 +PATCH bug: shouldn't write NUL when len <= 0
69 +PATCH may overflow with huge precision values (bad for format bugs)
70 +BUGS strx_* calls: some assume NUL-termination, but none look dangerous
71 +PATCH __xlog_explain_errno forgets to update size
72 +PATCH child.c: child_process may not NUL-terminate name
73 +PATCH init.c: syscall_failed may not NUL-terminate err
74 +PATCH shutdown.c: safe, but should use print_buf_size-1
75 +PATCH signals.c: sig_name should use sizeof(signame_buf)-1
76 +OK str_* calls
77 +OK none :-)
78 +OK strcat, strcpy calls (testsuite calls not checked)
79 +OK strn* calls
80 +PATCH some inefficient, but correct
81 +BUGS memcpy, memmove, bcopy calls
82 +PATCH addr.c: addrlist_dump() copies ipv6 address into ipv4 struct
83 +PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname()
84 +PATCH parsers.c: redir_parser() wouldn't build/work when NO_INET_ATON
85 +PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)
86 +PATCH parsers.c: bind_parser() same as the above
87 the use of sizeof() is inconsistent (not always of dst arg)
88 +PATCH should change bcopy to memcpy/memmove as appropriate
89 +BUGS sio_memcopy calls
90 +OK sio.c
91 +BUGS siosup.c is too complicated in its handling of data sizes
92 +OK expand() is only called with old_size < new_size
93 +? buffer_setup() isn't obviously correct, but is safe
94 +OK __sio_extend_buffer is correct
95 +PATCH comment to sio.h: aux buffer is right below buf
96 +PATCH __sio_get_events may cause bufentries < 0 (->overflow)
97 +OK conn_setaddr calls: safe, but could use sizeof((cp)->co_remote_address)
98 +OK sprintf calls
99 +BUGS sscanf calls
100 +PATCH addr.c: explicit_mask() has single-byte overflow of saddr[]
101 +BUGS formats
102 +OK fprintf, sprintf, fscanf, sscanf
103 +OK syslog (but relies on %.*s for non-NUL-terminated buffers)
104 +OK strx_*
105 +OK svc_logprint, prepare_buffer
106 +BUGS msg, parsemsg
107 +PATCH intcommon.c: int_init() passes fmt as wrong arg
108 +PATCH (non-security) should never have '\n' in format
109 +OK tabprint
110 +OK Sprint
111 +OK ostimer.c: terminate
112 +PATCH xlog_write() is called on untrusted input w/o XLOG_NO_ERRNO
113 +OK ident -- looks mostly safe
114 +OK SIGALRM + longjmp() used safely:
115 +OK no static accesses, no stdio between START/STOP_TIMER
116 +OK immediate return on timeout (-> no clobbering issues)
117 +OK signal mask after longjmp() is unimportant
118 +PATCH could be safer to also reset SIGALRM handler
119 +PATCH verify_line() modifies buf, which is then logged on error
120 will log control chars from remote
121 +BUGS builtins
122 +OK time, daytime, sensor: NO_FORK && stream (safe: FNDELAY)
123 +PATCH accept() return value never checked
124 +PATCH bad_port_check(): should deny all <1024 (53/udp is just as bad)
125 +PATCH stream_daytime writes to wrong fd when wait = yes (gets EPIPE)
126 +PATCH *_time sends sizeof(time_t): wrong on at least linux-alpha
127 xadmin_handler(): the command parser is unreliable (use sio?)
128 +BUGS record (shutdown.c)
129 connect_back may be used for portscanning of own machine
130 write() return values not checked
131 +PATCH will only handle traditional (obsolete) crypt(3) hashes
132 special.c: stream_shutdown() will log control chars from remote
133 intercept (int[.c]*, {tcp,udp}int.c) -- checked for generic bugs ONLY
134 tcpint.c: si_exit() may leave open fd from accept()
135 +BUGS signal races, longjmp clobbering
136 +BUGS __ostimer_interrupt:
137 +PATCH call_level should be volatile
138 +PATCH should use &ret_env, not (char *)ret_env (may differ)
139 +BUGS ret_env modified non-atomically (with 2 TIMER_LONGJMP's)
140 +PATCH should set have_env before and make it volatile
141 +PATCH may leave an altered signal mask on longjmp()
142 should fallback to plain longjmp in configure
143 +OK __ostimer_{add,remove} only called with signals blocked
144 +OK timer_s fields not volatile, safe due to block _calls_
145 +BUGS check uses of TIMER_LONGJMP flag
146 +BUGS confparse.c: get_conf() may jump out of malloc(), etc
147 no other uses, perhaps just disable CONF_TIMEOUT
148 +OK ident.c: mostly safe (see above)
149 +BUGS signals.c: bad_signal(): only on crashes, so not a big issue
150 +PATCH *count should be volatile to really avoid looping
151 does calls which may cause another SIGSEGV w/o a bug
152 +PATCH may leave an altered signal mask on longjmp()
153 +BUGS signals.c: general_handler()
154 sio and non-reentrant libc calls on unexpected signal
155 +BUGS signals.c: handle_signal(), my_handler(): events may be lost
156 my_handler may be re-entered, but M_SET isn't atomic:
157 should split ps.flags into int-per-flag
158 +OK main.c: main(): setjmp() placed in a way avoiding clobbering
159 +BUGS access.c: parent_access_control(), alrm_ena() (cps feature)
160 alrm_ena() may cause re-entry into syslog(), etc
161 SIGALRM handler may be never reset, or --
162 the handler and/or alarm may be reset for other needs
163 should use the timer queues, not OS timers
164 +BUGS int.c: int_sighandler(), intcommon.c: int_init()
165 int_sighandler() may cause re-entry into msg(), etc
166 installed for multiple signals, doesn't block
167 may interrupt msg() in main and cause re-entry
168 +PATCH redirect.c: redir_sigpipe() should use _exit(2), not exit(3)
169 +BUGS fd_set overflows
170 intcommon.c: sets INT_REMOTE(ip) w/o fd_set size check
171 {tcp,udp}int.c: si_mux(), di_mux() FD_SET w/o fd check
172 internals.c: socket_mask_copy w/o fd checks
173 main_loop(): select() on read_mask w/o fd checks
174 service.c: svc_activate(): could check ps.rws.mask_max here
175 (many files) all references to ps.rws.socket_mask are unchecked
176 redirect.c: redir_handler() no checks for rdfd, msfd
177 should use fd_grow similarly to OpenBSD inetd
178 +PATCH workaround: reduce RLIMIT_NOFILE to FD_SETSIZE
179 +BUGS __sio_descriptors overflows
180 +PATCH sio functions forget to check fd against n_descriptors
181 +BUGS get_fd_limit(), Smorefds()
182 +PATCH assume RLIMIT_NOFILE is small (not RLIM_INFINITY)
183 +OK orig_max_descriptors and max_descriptors are rlim_t, not int
184 +BUGS potential fd leaks to services
185 +PATCH init.c: setup_file_descriptors() relies on the rlimit only
186 returns from close() never checked -- fixed the worst one
187 +BUGS child.c: set_credentials()
188 +PATCH should fail if !ps.ros.is_superuser && user/group requested
189 +OK is otherwise fail-close and resets groups (fixed long ago)
190 +BUGS gethostby*, getaddrinfo (some are common with memcpy bugs)
191 +PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname()
192 addr.c: host_addr() INET6 doesn't check res->ai_family
193 parsers.c: {redir,bind}_parser() don't check res->ai_family
194 +PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)
195 +PATCH parsers.c: bind_parser() same as the above
196 +PATCH getpwnam unnecessarily leaves password hashes in address space on BSD
197 ---
198 +PATCH gcc format attributes
199 + build with gcc -Wall -Wcast-align (x86, alpha) -- mostly clean
200 +PATCH many unused vars with ipv6
201 +PATCH parsers.c, inet.c: stores strtol() to int, then needs long
202 +PATCH several format strings don't match arguments
203 + build with ccc -msg_enable level4 or higher
204 +PATCH CC= from configure doesn't get into Makefile's
205 lots of warnings (250 KB of output), the code is just not clean
206 +PATCH some really need fixing
207 - use wrapper functions around either strx_* or vsnprintf()?
208 + not a good idea, tested strx_* against snprintf instead
209 ? define strz_* wrappers around strx_*, which would always NUL-terminate
210 +PATCH atoi -> strtol with long to int overflow checks
211 ---
212 should limit logging rate (= rate of permitted sessions, popa3d-like)
213 should drop privileges for ident lookups, builtins, and records
214 should have options to build --without-{ident,builtins,record,intercept}
215 should generate manpages accordingly
217 ----- End forwarded message -----
219 --
220 Ben Lutgens
221 Sistina Software Inc.
223 What's the difference between root and God ?
224 God doesn't think that he is root.