Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
spice-vdagent
0001-CVE-2020-25653-Avoids-user-session-hijacki...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-CVE-2020-25653-Avoids-user-session-hijacking.patch of Package spice-vdagent
Subject: Avoids user session hijacking From: Frediano Ziglio freddy77@gmail.com Sun Sep 20 08:06:16 2020 +0100 Date: Thu Oct 29 14:59:18 2020 +0000: Git: 51c415df82a52e9ec033225783c77df95f387891 Avoids user hijacking sessions by reusing PID. In theory an attacker could: - open a connection to the daemon; - fork and exit the process but keep the file descriptor open (inheriting or duplicating it in forked process); - force OS to recycle the initial PID, by creating many short lived processes. Daemon would detect the old PID as having the new session. Check the user to avoid such replacements. This issue was reported by SUSE security team. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com> Index: spice-vdagent-0.17.0/src/vdagentd.c =================================================================== --- spice-vdagent-0.17.0.orig/src/vdagentd.c +++ spice-vdagent-0.17.0/src/vdagentd.c @@ -838,6 +838,19 @@ static gboolean remove_active_xfers(gpoi return 0; } +/* Check a given process has a given UID */ +static gboolean check_uid_of_pid(pid_t pid, uid_t uid) +{ + char fn[128]; + struct stat st; + + snprintf(fn, sizeof(fn), "/proc/%u/status", (unsigned) pid); + if (stat(fn, &st) != 0 || st.st_uid != uid) { + return FALSE; + } + return TRUE; +} + static void agent_connect(struct udscs_connection *conn) { struct agent_data *agent_data; @@ -851,7 +864,18 @@ static void agent_connect(struct udscs_c if (session_info) { uint32_t pid = udscs_get_peer_cred(conn).pid; + uint32_t uid = udscs_get_peer_cred(conn).uid; agent_data->session = session_info_session_for_pid(session_info, pid); + + /* Check that the UID of the PID did not change, this should be done after + * computing the session to avoid race conditions. + * This can happen as vdagent_connection_get_peer_pid_uid get information + * from the time of creating the socket, but the process in the meantime + * have been replaced */ + if (!check_uid_of_pid(pid, uid)) { + udscs_destroy_connection(&conn); + return; + } } udscs_set_user_data(conn, (void *)agent_data);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor