Skip to content

nix::unistd::getgrouplist buffer overflow #1060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 30, 2021
Merged

nix::unistd::getgrouplist buffer overflow #1060

merged 6 commits into from
Sep 30, 2021

Conversation

geofft
Copy link
Contributor

@geofft geofft commented Sep 27, 2021

Reported in nix-rust/nix#1541, fix currently under review.

@Shnatsel
Copy link
Member

Thank you! Looks good to me. Is there a chance that a fix is going to be released within the next 24 hours or so? In that case I'd prefer to include the fixed version in the advisory and only then merge it in order to make the advisory more actionable.

@geofft
Copy link
Contributor Author

geofft commented Sep 27, 2021

I think that depends on the nix maintainers (we're just contributors), and my guess would be no.

@Shnatsel Shnatsel mentioned this pull request Sep 28, 2021
Closed
@asomers
Copy link

asomers commented Sep 29, 2021

Yes, I'll merge that PR and publish soon. But while this is certainly a bug, is it really a security issue? It doesn't seem exploitable to me, except by somebody who already has the ability to modify /etc/groups.

@asomers
Copy link

asomers commented Sep 29, 2021

Fixed in Nix 0.23.0, 0.20.2, 0.21.2, and 0.22.2.

@Shnatsel
Copy link
Member

Since this appears to require root to exploit, I'd like to drop the severity down to a warning. Thoughts?

@asomers
Copy link

asomers commented Sep 29, 2021

Since this appears to require root to exploit, I'd like to drop the severity down to a warning. Thoughts?

I agree with decreasing the severity. Also, you should set the os tag to linux, freebsd, android, netbsd, dragonfly, openbsd, and fuchsia.

@Shnatsel Shnatsel merged commit a59b58d into rustsec:main Sep 30, 2021
@Shnatsel
Copy link
Member

Merged. Apologies for the delay. Thanks @geofft for the timely and detailed advisory!

@geofft
Copy link
Contributor Author

geofft commented Oct 8, 2021

Thank you, and thanks @asomers for the backports to stable branches (we're unfortunately still running Debian oldoldstable for a few more months).

I agree this is not high-priority, but there are contexts where it's theoretically exploitable by an unprivileged user, including

  • At sites with very large numbers of UNIX groups (including ours), there's generally some self-service interface to create groups and add yourself to them. Even if it doesn't explicitly let you pick a specific GID (which it might - ours does, which we didn't consider security-sensitive), you might be able to create one at the right time to get the one you want, and it's definitely easy to get yourself into a large number of groups and cause a DoS.
  • In a site with networked groups (e.g., LDAP), while the source of groups is somewhat trusted, it's not necessarily completely trusted. SSSD, for instance, has the min_id parameter, which by default prevents LDAP from returning data for UID/GID 0 and is usually set to prevent it from returning UIDs/GIDs < 1000. So this bug allows lateral movement from the LDAP server to the rest of the environment, where lateral movement may have been hard (though admittedly not impossible, getting control of UIDs >= 1000 is certainly bad too).

@geofft geofft deleted the nix-getgrouplist branch October 8, 2021 00:58
@Shnatsel Shnatsel mentioned this pull request Oct 8, 2021
Merged
@pinkforest pinkforest mentioned this pull request Sep 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@geofft @Shnatsel @asomers