* Re: CVE-2009-4273 for stap 1.0?
[not found] <20100128051807.GA25969@suse.de>
@ 2010-01-28 16:47 ` Dave Brolley
2010-02-03 19:50 ` Tony Jones
0 siblings, 1 reply; 3+ messages in thread
From: Dave Brolley @ 2010-01-28 16:47 UTC (permalink / raw)
To: Tony Jones; +Cc: SystemTAP
[-- Attachment #1: Type: text/plain, Size: 863 bytes --]
Tony Jones wrote:
> Hi Dave.
>
> I just got assigned this CVE from our security team.
>
> I see you committed e1b36074 to rhel54 branch today (obviously thats based on
> 0.9.7). We're at beta4 for SLES11SP1 based off 1.0, I was curious if you had
> a backport in the works for rhel55 which seems to be also v1.0?
>
> This would help me out by not having to roll it myself, especially since it's
> apparantly now public.
>
>
Hi Tony,
RHEL55 will soon rebase to systemtap 1.1 which contains the fix, so
there are currently no plans to backport the fix to 1.0.
If you need to backport to 1.0, I would be happy to help with any
problems you may encounter. To help get you started, I've attached a
list of the changes needed to complete the fix.
Please use the public mailing list (systemtap@sources.redhat.com) for
any further questions.
Thanks,
Dave
[-- Attachment #2: CVE-2009-4273.changes.txt --]
[-- Type: text/plain, Size: 4114 bytes --]
commit b75067caf1bb416af21473e40c917d953531e9f9
Author: Dave Brolley <brolley@redhat.com>
Date: Mon Jan 18 11:56:13 2010 -0500
Correct client-side quoting issues discovered by fche during the server-side reimplementation.
Also add the test cases to the test suite.
commit 27ca40f711f4ab4b0234390443e63b7916a61551
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 16:25:16 2010 -0500
PR11105: forget about packaging stap-server-request
commit 2a1c9b5db533fe7d2d2d4bac572195c490de62fb
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 12:34:39 2010 -0500
PR11105: support default unset --prefix
* configure.ac (STAP_PREFIX): Map NONE -> /usr/local.
commit 3f78f0208e1bfe8061d1898418882b5e2756f8a2
Author: Dave Brolley <brolley@redhat.com>
Date: Fri Jan 15 10:52:11 2010 -0500
Package command line arguments in separate files.
commit 86f99ad8206574dc6400d48563db58341cb50f52
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 03:27:34 2010 -0500
PR11105: remove extraneous \n from localized foo.stp script file name
commit 36d1c134edc4bd4ee20225003041188c13b7f36f
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 03:12:53 2010 -0500
testsuite: fix wording of invalid-entry test group
commit b703674d8fe87b0294f2df739e35545ab124a96e
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 03:11:18 2010 -0500
PR11105: Remove stap-server-request shell script.
* Makefile.am: Don't install it any more.
commit cf4a6df840531c1b30f8cfa7d10981d071911b98
Author: Frank Ch. Eigler <fche@elastic.org>
Date: Fri Jan 15 03:06:52 2010 -0500
PR11105: robustify stap-server
* main.cxx (main): Always downgrade client-provided -p5 to -p4.
* stap-client (unpack_response): Sanitize stdout due to same.
* stap-server-connect.c: Eliminate a bunch of globals.
(handle_connection): Make things locals instead. Base tmp files
on $TMPDIR.
(spawn_and_wait): New helper function.
(handleRequest): New monster function to inline rest of old
stap-server-request.
commit e4d80588594a7495a3efedbd3a4281df13ff253b
Author: Dave Brolley <brolley@redhat.com>
Date: Fri Jan 15 00:47:32 2010 -0500
PR11105: stap-client wire protocol change
commit 622fa74aa720b3eda55c81530d458e3ea7792bb2
Author: Dave Brolley <brolley@redhat.com>
Date: Thu Jan 14 15:44:09 2010 -0500
Allow / as a random argyment character when fuzzing.
commit f73d5cad4e9aa5baa0a763a76cf4516721d29b2a
Author: Dave Brolley <brolley@redhat.com>
Date: Wed Jan 13 15:07:52 2010 -0500
Test newline characters as part of fuzzing argument strings.
commit f2aadddae0d01fa5a676404e49c6c36825b40512
Author: Dave Brolley <brolley@redhat.com>
Date: Mon Jan 11 22:14:36 2010 -0500
Add some additional test cases.
commit 5f03ebf5b2acccb652c9135627184479bc8d7d47
Author: Dave Brolley <brolley@redhat.com>
Date: Mon Jan 11 20:19:54 2010 -0500
Invalid casess can be tested for 'make check'.
commit a0ace4915e5d963c28fa3b54f87afef34b82b6a5
Author: Dave Brolley <brolley@redhat.com>
Date: Mon Jan 11 20:13:40 2010 -0500
Rework filtering of client options. Add testsuite.
commit 3c07041760dccbb3151ef21602b8bc5da4b32197
Author: Dave Brolley <brolley@redhat.com>
Date: Mon Jan 11 14:34:27 2010 -0500
Filter options for unprivileged use after --stap-client is seen.
commit ed03894041aedf79811d5ad5c41caedbf90052cd
Author: Dave Brolley <brolley@redhat.com>
Date: Fri Jan 8 16:25:59 2010 -0500
New test suite for client/server argument handling.
commit 12091330be193cd0836d48c525bab015fcec2c75
Author: Dave Brolley <brolley@redhat.com>
Date: Thu Jan 7 17:10:30 2010 -0500
Take care when echoing something that could start with a -.
commit a0626e2e2ea13b6fc974157fb71fe6d48f4c7ec0
Author: Dave Brolley <brolley@redhat.com>
Date: Thu Jan 7 13:58:11 2010 -0500
Client argument handling:
Pass partial options to the server instead of complaining about
them in the client.
Update known failures from buildok in server.exp.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CVE-2009-4273 for stap 1.0?
2010-01-28 16:47 ` CVE-2009-4273 for stap 1.0? Dave Brolley
@ 2010-02-03 19:50 ` Tony Jones
2010-02-03 20:23 ` Dave Brolley
0 siblings, 1 reply; 3+ messages in thread
From: Tony Jones @ 2010-02-03 19:50 UTC (permalink / raw)
To: Dave Brolley; +Cc: SystemTAP
On Thu, Jan 28, 2010 at 11:47:35AM -0500, Dave Brolley wrote:
> Hi Tony,
>
> RHEL55 will soon rebase to systemtap 1.1 which contains the fix, so
> there are currently no plans to backport the fix to 1.0.
>
> If you need to backport to 1.0, I would be happy to help with any
> problems you may encounter. To help get you started, I've attached a
> list of the changes needed to complete the fix.
>
> Please use the public mailing list (systemtap@sources.redhat.com)
> for any further questions.
As part of verifying the backport I tried initially to reproduce the problem
in the un-fixed code based on the "horror cases" mentioned at:
http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1
I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..."
case but I guess I'm not understanding the side-effects. I assumed the above
would result in some form of extraneous output at the client side?
I guess I'd welcome some concrete examples that demonstrate the exploit if
you have a spare couple of minutes. Either on or off-list is fine.
Thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CVE-2009-4273 for stap 1.0?
2010-02-03 19:50 ` Tony Jones
@ 2010-02-03 20:23 ` Dave Brolley
0 siblings, 0 replies; 3+ messages in thread
From: Dave Brolley @ 2010-02-03 20:23 UTC (permalink / raw)
To: Tony Jones; +Cc: SystemTAP
Hi Tony,
Tony Jones wrote:
> As part of verifying the backport I tried initially to reproduce the problem
> in the un-fixed code based on the "horror cases" mentioned at:
> http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1
>
> I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..."
> case but I guess I'm not understanding the side-effects. I assumed the above
> would result in some form of extraneous output at the client side?
>
> I guess I'd welcome some concrete examples that demonstrate the exploit if
> you have a spare couple of minutes. Either on or off-list is fine.
>
>
>
Here is an example which demonstrates the exploit. Running
stap-client -p1 -B\;ai2
will print an error about -B being an invalid option followed by the
usage help followed by a message similar to
/usr/local/bin/stap-server: line 340: ai2: command not found
which indicates that server tried to run the 'ai2' command.
I hope this helps,
Dave
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-02-03 20:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20100128051807.GA25969@suse.de>
2010-01-28 16:47 ` CVE-2009-4273 for stap 1.0? Dave Brolley
2010-02-03 19:50 ` Tony Jones
2010-02-03 20:23 ` Dave Brolley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).