CentOS - Feb 2017 - Serious attack vector on pkcheck ignored by Red Hat

Based on an article that was mentioned on this list 

https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html

I found two attacker controlled memory leaks in the option parsing of
pkcheck.c. These memory leaks allow a local attacker the ability to
"spray the heap", i.e. initialize large parts of the heap before
launching his attack.

The original attack uses a setuid binary, because the author "is giving
himself a break".

However, the fact that the binary in the example is setuid is orthogonal
to the fact that heap spraying is a very serious attack vector.

Bug reports are filed but closed WONTFIX. I think this is a mistake so I
would hope people could weigh in on this.

https://bugs.freedesktop.org/show_bug.cgi?id=99626
https://bugzilla.redhat.com/show_bug.cgi?id=1418278
https://bugzilla.redhat.com/show_bug.cgi?id=1418287

Thanks for your interest.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

On 2/2/2017 6:22 AM, Leonard den Ottolander wrote:
> However, the fact that the binary in the example is setuid is orthogonal
> to the fact that heap spraying is a very serious attack vector.
without privilege escalation, what does it attack ?


-- 
john r pierce, recycling bits in santa cruz

On Thu, 2017-02-02 at 06:40 -0800, John R Pierce wrote:
> On 2/2/2017 6:22 AM, Leonard den Ottolander wrote:
> > However, the fact that the binary in the example is setuid is
orthogonal
> > to the fact that heap spraying is a very serious attack vector.
> 
> without privilege escalation, what does it attack ?
pkcheck might not be directly vulnerable. However, pkexec is. Closing
these bugs because pkcheck might not be directly vulnerable also stops
pkexec from being fixed. And pkexec clearly is vulnerable.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research