Front page | perl.perl5.porters |
Postings from June 2012
On Fri, Jun 8, 2012 at 3:02 PM, Dave Mitchell <davem@iabyn.com> wrote: > On Fri, Jun 08, 2012 at 12:56:56PM -0500, Reini Urban wrote: >> Upcoming group privilege dropping CVE >> >> POSIX and Proc::UID seem to be affected in 5.14.2 at least. >> Confirmed on my system. >> >> FW from oss-security: >> http://www.openwall.com/lists/oss-security/2012/05/24/6 >> http://people.redhat.com/sgrubb/security/find-nodrop-groups > > If I read this correctly, someone is pointing out that an app that does > setgid(2) without using initgroups(3) *might* be insecure due to not > dropping supplementary groups when dropping root privileges? > > And of the two examples you've found that concern perl, one (Proc::UID) is > not part of the perl distribution. There is a valid open bug in the cpan queue for 6 years. https://rt.cpan.org/Ticket/Display.html?id=21400 > and the other (POSIX) is simply making > system calls such as setgid available to perl applications; it is the > fault of those applications, rather than POSIX, if they don't also call > initgroups?? POSIX needs to add initgroups and setgroups, and document setgid in reference to supplementary groups. > So I've just wasted 15 minutes of my time? If you do not care, apparently. -- Reini Urban http://cpanel.net/ http://www.perl-compiler.org/Thread Previous | Thread Next