[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Gordon Messmer
gordon.messmer at gmail.com
Wed Feb 15 17:55:28 UTC 2017
On 02/15/2017 08:22 AM, Chris Adams wrote:
> noexec is not that big of a protection. On a normal CentOS system, you
> almost certainly have python installed (as well as likely other
> scripting languages such as perl), and they can be used to do just about
> anything compiled code can do.
Exactly. Since python is required by yum (and gettext, and
systemd-sysv), it's nearly impossible to have a CentOS system without
python.
Python, of course, includes the "ctypes" module, which allows you to
load a shared object and call a C function with whatever arguments you
choose.
You *absolutely* do not need a heap spraying attack in order to make
arbitrary library or kernel calls.
Leonard, man... you've got let this go. Users with shell access already
have fairly broad permission to execute arbitrary code on the system
they log in to. The memory leak in pkcheck is *not* a security issue.
It's just a bug. *Everyone* is trying to tell you this, including the
maintainers of CentOS, and (in your original bug report) the maintainers
of RHEL. The security bug you've used as a foundation for all of this
was built on a SUID binary, which pkcheck is not. What's it going to
take for you to accept this? Do you honestly think that you are better
qualified than all of the maintainers and developers that are telling
you that this isn't a security bug?
I really want to encourage you to stay involved as a community member.
Free Software is a participation culture, and every contributor has the
potential to make the entire system better, but participation is a
two-way conversation. You've got to learn to listen, as well.
More information about the CentOS
mailing list