[CentOS] Serious attack vector on pkcheck ignored by Red Hat

Gordon Messmer gordon.messmer at gmail.com
Wed Feb 15 17:55:28 UTC 2017


On 02/15/2017 08:22 AM, Chris Adams wrote:
> noexec is not that big of a protection.  On a normal CentOS system, you
> almost certainly have python installed (as well as likely other
> scripting languages such as perl), and they can be used to do just about
> anything compiled code can do.


Exactly.  Since python is required by yum (and gettext, and 
systemd-sysv), it's nearly impossible to have a CentOS system without 
python.

Python, of course, includes the "ctypes" module, which allows you to 
load a shared object and call a C function with whatever arguments you 
choose.

You *absolutely* do not need a heap spraying attack in order to make 
arbitrary library or kernel calls.

Leonard, man... you've got let this go.  Users with shell access already 
have fairly broad permission to execute arbitrary code on the system 
they log in to.  The memory leak in pkcheck is *not* a security issue.  
It's just a bug.  *Everyone* is trying to tell you this, including the 
maintainers of CentOS, and (in your original bug report) the maintainers 
of RHEL.  The security bug you've used as a foundation for all of this 
was built on a SUID binary, which pkcheck is not.  What's it going to 
take for you to accept this?  Do you honestly think that you are better 
qualified than all of the maintainers and developers that are telling 
you that this isn't a security bug?

I really want to encourage you to stay involved as a community member.  
Free Software is a participation culture, and every contributor has the 
potential to make the entire system better, but participation is a 
two-way conversation.  You've got to learn to listen, as well.




More information about the CentOS mailing list