Re: CVE-2009-4273 for stap 1.0?

Re: CVE-2009-4273 for stap 1.0?

[Dave Brolley]

[-- Attachment #1: Type: text/plain, Size: 863 bytes --]

Tony Jones wrote:
> Hi Dave.
>
> I just got assigned this CVE from our security team.
>
> I see you committed e1b36074 to rhel54 branch today (obviously thats based on 
> 0.9.7).  We're at beta4 for SLES11SP1 based off 1.0, I was curious if you had 
> a backport in the works for rhel55 which seems to be also v1.0?
>
> This would help me out by not having to roll it myself, especially since it's
> apparantly now public. 
>
>   
Hi Tony,

RHEL55 will soon rebase to systemtap 1.1 which contains the fix, so 
there are currently no plans to backport the fix to 1.0.

If you need to backport to 1.0, I would be happy to help with any 
problems you may encounter. To help get you started, I've attached a 
list of the changes needed to complete the fix.

Please use the public mailing list (systemtap@sources.redhat.com) for 
any further questions.

Thanks,
Dave


[-- Attachment #2: CVE-2009-4273.changes.txt --]
[-- Type: text/plain, Size: 4114 bytes --]

commit b75067caf1bb416af21473e40c917d953531e9f9
Author: Dave Brolley <brolley@redhat.com>
Date:   Mon Jan 18 11:56:13 2010 -0500

    Correct client-side quoting issues discovered by fche during the server-side reimplementation.
    
    Also add the test cases to the test suite.

commit 27ca40f711f4ab4b0234390443e63b7916a61551
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 16:25:16 2010 -0500

    PR11105: forget about packaging stap-server-request

commit 2a1c9b5db533fe7d2d2d4bac572195c490de62fb
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 12:34:39 2010 -0500

    PR11105: support default unset --prefix
    
    * configure.ac (STAP_PREFIX): Map NONE -> /usr/local.

commit 3f78f0208e1bfe8061d1898418882b5e2756f8a2
Author: Dave Brolley <brolley@redhat.com>
Date:   Fri Jan 15 10:52:11 2010 -0500

    Package command line arguments in separate files.

commit 86f99ad8206574dc6400d48563db58341cb50f52
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 03:27:34 2010 -0500

    PR11105: remove extraneous \n from localized foo.stp script file name

commit 36d1c134edc4bd4ee20225003041188c13b7f36f
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 03:12:53 2010 -0500

    testsuite: fix wording of invalid-entry test group

commit b703674d8fe87b0294f2df739e35545ab124a96e
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 03:11:18 2010 -0500

    PR11105: Remove stap-server-request shell script.
    
    * Makefile.am: Don't install it any more.

commit cf4a6df840531c1b30f8cfa7d10981d071911b98
Author: Frank Ch. Eigler <fche@elastic.org>
Date:   Fri Jan 15 03:06:52 2010 -0500

    PR11105: robustify stap-server
    
    * main.cxx (main): Always downgrade client-provided -p5 to -p4.
    * stap-client (unpack_response): Sanitize stdout due to same.
    * stap-server-connect.c: Eliminate a bunch of globals.
      (handle_connection): Make things locals instead.  Base tmp files
      on $TMPDIR.
      (spawn_and_wait): New helper function.
      (handleRequest): New monster function to inline rest of old
      stap-server-request.

commit e4d80588594a7495a3efedbd3a4281df13ff253b
Author: Dave Brolley <brolley@redhat.com>
Date:   Fri Jan 15 00:47:32 2010 -0500

    PR11105: stap-client wire protocol change

commit 622fa74aa720b3eda55c81530d458e3ea7792bb2
Author: Dave Brolley <brolley@redhat.com>
Date:   Thu Jan 14 15:44:09 2010 -0500

    Allow / as a random argyment character when fuzzing.

commit f73d5cad4e9aa5baa0a763a76cf4516721d29b2a
Author: Dave Brolley <brolley@redhat.com>
Date:   Wed Jan 13 15:07:52 2010 -0500

    Test newline characters as part of fuzzing argument strings.

commit f2aadddae0d01fa5a676404e49c6c36825b40512
Author: Dave Brolley <brolley@redhat.com>
Date:   Mon Jan 11 22:14:36 2010 -0500

    Add some additional test cases.

commit 5f03ebf5b2acccb652c9135627184479bc8d7d47
Author: Dave Brolley <brolley@redhat.com>
Date:   Mon Jan 11 20:19:54 2010 -0500

    Invalid casess can be tested for 'make check'.

commit a0ace4915e5d963c28fa3b54f87afef34b82b6a5
Author: Dave Brolley <brolley@redhat.com>
Date:   Mon Jan 11 20:13:40 2010 -0500

    Rework filtering of client options. Add testsuite.

commit 3c07041760dccbb3151ef21602b8bc5da4b32197
Author: Dave Brolley <brolley@redhat.com>
Date:   Mon Jan 11 14:34:27 2010 -0500

    Filter options for unprivileged use after --stap-client is seen.

commit ed03894041aedf79811d5ad5c41caedbf90052cd
Author: Dave Brolley <brolley@redhat.com>
Date:   Fri Jan 8 16:25:59 2010 -0500

    New test suite for client/server argument handling.

commit 12091330be193cd0836d48c525bab015fcec2c75
Author: Dave Brolley <brolley@redhat.com>
Date:   Thu Jan 7 17:10:30 2010 -0500

    Take care when echoing something that could start with a -.

commit a0626e2e2ea13b6fc974157fb71fe6d48f4c7ec0
Author: Dave Brolley <brolley@redhat.com>
Date:   Thu Jan 7 13:58:11 2010 -0500

    Client argument handling:
    
    Pass partial options to the server instead of complaining about
    them in the client.
    
    Update known failures from buildok in server.exp.

Re: CVE-2009-4273 for stap 1.0?

[Tony Jones]

On Thu, Jan 28, 2010 at 11:47:35AM -0500, Dave Brolley wrote:
> Hi Tony,
> 
> RHEL55 will soon rebase to systemtap 1.1 which contains the fix, so
> there are currently no plans to backport the fix to 1.0.
> 
> If you need to backport to 1.0, I would be happy to help with any
> problems you may encounter. To help get you started, I've attached a
> list of the changes needed to complete the fix.
> 
> Please use the public mailing list (systemtap@sources.redhat.com)
> for any further questions.

As part of verifying the backport I tried initially to reproduce the problem 
in the un-fixed code based on the "horror cases" mentioned at: 
http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1

I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..."
case but I guess I'm not understanding the side-effects. I assumed the above 
would result in some form of extraneous output at the client side? 

I guess I'd welcome some concrete examples that demonstrate the exploit if
you have a spare couple of minutes. Either on or off-list is fine.

Thanks

Re: CVE-2009-4273 for stap 1.0?

[Dave Brolley]

Hi Tony,

Tony Jones wrote:
> As part of verifying the backport I tried initially to reproduce the problem 
> in the un-fixed code based on the "horror cases" mentioned at: 
> http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1
>
> I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..."
> case but I guess I'm not understanding the side-effects. I assumed the above 
> would result in some form of extraneous output at the client side? 
>
> I guess I'd welcome some concrete examples that demonstrate the exploit if
> you have a spare couple of minutes. Either on or off-list is fine.
>
>
>   
Here is an example which demonstrates the exploit. Running

    stap-client -p1 -B\;ai2

will print an error about -B being an invalid option followed by the 
usage help followed by a message similar to

  /usr/local/bin/stap-server: line 340: ai2: command not found

 which indicates that server tried to run the 'ai2' command.

I hope this helps,
Dave