Ubuntu
ktsuss package

ktsuss fails to change the effective UID back to the real UID

Bug #932107 reported by Zubin Mithra
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ktsuss (Debian)
Fix Released
Unknown
ktsuss (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned

Bug Description

CVE-2011-2921, http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-2921.html

When the target UID is the same as the real UID ktsuss skips
authentication. Under these circumstances, ktsuss fails to change the
effective UID back to the real UID.

Maverick is vulnerable.

The discussion can be viewed here, http://www.openwall.com/lists/oss-security/2011/08/16/2

The discussion also mentioned another vulnerability, though its probably best to file another bug for the same.

The discussion at debian can be viewed here, but no patches are proposed, only discusses dropping the package in the next release.

ktsuss is not maintained, however, ktsuss-2 can be found here, http://code.google.com/p/ktsuss/source/checkout

CVE References

Revision history for this message
Zubin Mithra (zubin-mithra) wrote :

Please find attached, a debdiff which takes care of this issue by doing a seteuid(getuid()). Solves the issue. Tested on Maverick, works correctly after applying this patch.

Before applying you have:-

$:~/cve-stuff/2011-2921/t3$ ktsuss -u `whoami` whoami
root

After, you have:-

$:~/cve-stuff/2011-2921/t3$ ktsuss -u `whoami` whoami
equinox

Revision history for this message
Zubin Mithra (zubin-mithra) wrote :

I've attached another debdiff, in which "maverick" has been changed to "maverick-security".

Marc Deslauriers (mdeslaur)
visibility: private → public
Changed in ktsuss (Ubuntu Lucid):
status: New → Confirmed
Changed in ktsuss (Ubuntu Maverick):
status: New → Confirmed
Changed in ktsuss (Ubuntu Natty):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi. Thanks for the debdiff. I am going to have to NACK it though.

1- The debdiff is inverted.

2- You're not checking the return value of seteuid()

3- This doesn't fix the CVE-2011-2922 issue, which is as serious. If CVE-2011-2922 isn't fixed, there is no value in fixing CVE-2011-2921.

Unsubscribing ubuntu-security-sponsors for now.

Bug Watch Updater (bug-watch-updater)
Changed in ktsuss (Debian):
status: Unknown → Fix Released
Jamie Strandboge (jdstrand)
Changed in ktsuss (Ubuntu):
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ktsuss (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ktsuss (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in ktsuss (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.