[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user/1819: Possible signal race in pppd(8)

To: gnats@openbsd.org
Subject: user/1819: Possible signal race in pppd(8)
From: venglin@unia.3lo.lublin.pl
Date: 11 May 2001 20:19:05 -0000
Resent-Date: Fri, 11 May 2001 14:20:02 -0600 (MDT)
Resent-From: gnats@cvs.openbsd.org (GNATS Management)
Resent-Message-Id: <200105112020.f4BKK2t31031@cvs.openbsd.org>
Resent-Reply-To: gnats@cvs.openbsd.org, venglin@unia.3lo.lublin.pl
Resent-To: bugs@cvs.openbsd.org


>Number:         1819
>Category:       user
>Synopsis:       Possible signal race in pppd(8)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 11 14:20:02 MDT 2001
>Last-Modified:
>Originator:     Przemyslaw Frasunek
>Organization:
czuby.net
>Release:        OpenBSD 2.9-beta
>Environment:
	System      : OpenBSD 2.9
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:

	Pppd(8) uses the same functions as signal handlers for SIGHUP
	and SIGINT:

	SIGNAL(SIGINT, term);
	SIGNAL(SIGTERM, term);

	and bad_signal() handler for other signals:

	SIGNAL(SIGABRT, bad_signal);
	SIGNAL(SIGALRM, bad_signal);
	SIGNAL(SIGFPE, bad_signal);
	[...]

	This opens a potential security hole, because term() and bad_signal()
	are using library functions and syscalls, which aren't reentrant safe.

	Pppd is suidroot on default system.

>How-To-Repeat:
	None. Theoretical vulnerability.
>Fix:
	Fix sighandlers.

>Audit-Trail:
>Unformatted:

Prev by Date: Re: hello
Next by Date: ftp segfaults and core dumps on a new install of snapshot #667
Prev by thread: Re: hello
Next by thread: ftp segfaults and core dumps on a new install of snapshot #667
Index(es):
- Date
- Thread