[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Leonard den Ottolander
leonard at den.ottolander.nl
Thu Feb 2 15:35:54 UTC 2017
On Thu, 2017-02-02 at 07:16 -0800, Gordon Messmer wrote:
> On 02/02/2017 06:51 AM, Leonard den Ottolander wrote:
> > pkcheck might not be directly vulnerable. However, pkexec is.
>
>
> If that's so, why are you supplying patches to pkcheck rather than
> fixing pkexec?
The patch has a fix for three memory leaks. One memory leak that allows
heap spraying in pkexec.c that according to the aforementioned article
is *directly* exploitable and has been fixed upstream. (Check references
I provided.)
Two similar memory leaks exist in pkcheck.c, for which I also provided
patches. Even though these might not be so easily exploitable the memory
leaks in themselves allow a local attacker to "spray the heap", which
makes it easier for him to leverage an attack. You do not want to allow
an attacker to have such potent tools readily available.
Memory leaks are always bad, but these are seriously bad because they
are attacker controlled.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the CentOS
mailing list