[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 24 08:34:03 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=787

openssh_bugzilla at hockin.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #548 is|0                           |1
           obsolete|                            |



------- Additional Comments From openssh_bugzilla at hockin.org  2004-02-24 08:33 -------
Created an attachment (id=549)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=549&action=view)
new NGROUPS patch

This should work if you have no supplementary groups.  It also keeps existing
behavior for unnamed groups in groups_byname[].

Issue:	the first call to getgrouplist() in groupaccess.c:ga_init().

On my unpatched RH9 box, this segfaults.  On my RHEL3 box (should be just like
RH9) it works.	Based on stack examination, the getgroupslist() function on my
RH9 box writes the gid list to the stack, heedless of the ngroups parameter. 
The RHEL box seems to do the right thing, except for wantonly assuming that at
least ONE gid will be available and that ngroups is at least 1.

So I work around the case of requiring one gid (not too gross), but what can be
done about it ignoring the ngroups param on RH9?  Nothing that seems
reasonable.  Fix glibc.

So I think this is correct, or as correct as can be.  More testers to confirm
that would be nice.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list