Re: NIS+ groups, segfaults

[Thorsten Kukuk]

On Tue, Mar 06, Dirk Wetter wrote:

> 
> Hi,
> 
> i am new to this list, i am not even subscribed to it.
> but i would appreciate if the bug which we found
> (see below) would be fixed *at_least* in the next release.
> 
> i couldn't read any mail/notification that this issue
> i brought up was addressed, so i though just to step
> forward with two suggestions, here they are:
> 
> - increase NSS_BUFLEN_GROUP in /usr/include/grp.h
>   and      NSS_BUFLEN_PASSWD in /usr/include/pwd.h
>   at least to 4096, better 8192.

This would not solve the problem, only hide it for more cases.

> 
> - somebody has to find the real problem in "_nss_compat_initgroups"
>   in ./nis/nss_compat/compat-initgroups.c.
>   the same code seems to be in ./grp/initgroups.c
>   and ./nis/nss_nis/nis-initgroups.c.

It is the same code for /etc/group, NIS and NIS+. I created
a group entry with about 3000 characters in /etc/group and
the NIS group map. It works without problems, __alloca is
called 3 times without problems for files (/etc/group) and NIS.

I think the problem is in the NIS+ code, looks like we
overwrite some memory we are not allowed to write to.
But I don't have access to a NIS+ server in the moment,
so I cannot test and fix this.

> ihmo this problem needs to be resolved, also for security reasons.
> at least we were able to put some "numbers" on the stack,
> which at a certain point was found to be a valid address
> be the code after exiting a function.

This is bogus, if somebody is able to change your NIS+ data,
he doesn't need a buffer overflow to become root.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/       address@hidden
SuSE GmbH            Schanzaeckerstr. 10            90443 Nuernberg
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.