[SECURITY] setuid-root programs linked with NSPR can be used to truncate any file

Mon, 16 Oct 2006 12:58:11 -0700 

In NSPR releases 4.6.2 or earlier, setuid-root programs linked
with NSPR can be used to truncate any file.

The prerequisites for this security vulnerability are:
1. Your NSPR-based programs are running on an operating system
with the setuid-root feature.  The operating systems with this
feature are Unix platforms, Linux, and Mac OS X.
2. Your NSPR-based programs are marked with setuid-root.  If a
program is marked setuid-root, the program runs effectively as
if it were run by the root user.  Here is an example of a setuid-root
program on Linux:
  % ls -l /usr/bin/crontab
  -rwsr-xr-x  1 root root 66321 Dec  8  2004 /usr/bin/crontab*

The program /usr/bin/crontab is owned by the user "root" and
its user execution permission bit is marked as 's' as opposed
to the usual 'x'.  In contrast, here is a program that's not
setuid-root:

  % ls -l /bin/ls
  -rwxr-xr-x  1 root root 85232 Oct  5  2004 /bin/ls*

If the two prerequisites are met, an authorized user on the
computer can set the environment variable NSPR_LOG_FILE to
the pathname of a file on the computer before running the
setuid-root program that's linked with NSPR.  The program will
first truncate the file to zero length, and then it may write
some logging output to the file if the NSPR_LOG_MODULES
environment variable is also set.

This bug is fixed in the NSPR 4.6.3 release.  If you aren't
sure whether you're affected by this bug, it's prudent to upgrade
to NSPR 4.6.3 anyway.  The CVS tag is NSPR_4_6_3_RTM, and the
source code can be downloaded from
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.3/

This bug has been added to the NSPR 4.6.3 Release Notes:
http://www.mozilla.org/projects/nspr/release-notes/nspr463.html

Description of this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=351470
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1&searchclause
http://secunia.com/advisories/22348/

Wan-Teh Chang

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to