libnss_db reads a DB_CONFIG file in the current directory

Bug #531976 reported by Stephane Chazelas
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-db (Debian)
Fix Released
Unknown
libnss-db (Ubuntu)
Fix Released
Medium
Kees Cook
Dapper
Won't Fix
Medium
Unassigned
Hardy
Fix Released
Medium
Kees Cook
Intrepid
Fix Released
Medium
Kees Cook
Jaunty
Fix Released
Medium
Kees Cook
Karmic
Fix Released
Medium
Kees Cook
Lucid
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: libnss-db

sudo apt-get install libnss-db
sudo /etc/init.d/nscd stop (in case nscd is installed)
sudo ln -s /etc/shadow DB_CONFIG
$ sudo
line 1: root:*:14553:0:99999:7:::: incorrect name-value pair
[...]

Through libdb (libdb4.6 4.6.21-13ubuntu2 here), libnss_db seems to try and read a DB_CONFIG file in the current directory (instead of /var/lib/misc I suppose).

That's a security vulnerability because in the case of setuid or setgid commands, excerpts of the file are revealed to the calling user (and maybe more harm could be done with specially crafted DB_CONFIG files).

ProblemType: Bug
Architecture: amd64
Date: Thu Mar 4 15:42:04 2010
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: wl nvidia
Package: libnss-db 2.2.3pre1-3ubuntu3
ProcEnviron:
 SHELL=/bin/zsh
 PATH=(custom, user)
 LANG=en_GB.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-19.56-generic
SourcePackage: libnss-db
Uname: Linux 2.6.31-19-generic x86_64

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote :
Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote : Re: [Bug 531976] [NEW] libnss_sb reads a DB_CONFIG file in th current directory

summary "libnss_db reads a DB_CONFIG file in the current directory"

Revision history for this message
Kees Cook (kees) wrote : Re: libnss_sb reads a DB_CONFIG file in th current directory

Thank you for your report! I'm having trouble reproducing this situation. Can you include your /etc/nsswitch.conf file, and perhaps the specific steps to reproduce this from a fresh install?

I have tried:
sudo apt-get -y install libnss-db sudo
cd /tmp
ln -s /etc/shadow DB_CONFIG
sudo

Even through strace, I don't see attempts being made to open DB_CONFIG. I suspect my configuration of libnss-db is incomplete in some way.

Revision history for this message
Kees Cook (kees) wrote :

I spoke too soon. "cd /var/lib/misc; sudo make" is required to initialize the databases, after which point, I see the information leak.

Changed in libnss-db (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Kees Cook (kees)
summary: - libnss_sb reads a DB_CONFIG file in th current directory
+ libnss_db reads a DB_CONFIG file in the current directory
Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote : Re: Embargoed security issue in libnss_db

2010-03-04 18:52:51 -0800, Ulrich Drepper:
> That code isn't maintained for a decade or more. Nobody should have
> used that code since then and there certainly will be no code changes to
> obsolete, actively removed code.
[...]

Hi Ulrich,

Well,

http://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nsswitch.conf;hb=HEAD

has "db" for all the nss databases as first choice, ubuntu's and
debian's for a few databases by default (BTW, debian unstable is
also affected)

and

http://packages.debian.org/changelogs/pool/main/libn/libnss-db/libnss-db_2.2.3pre1-3.1/changelog

looks somehow maintained to me.

I can see no mention of nss-db being obsoleted in the glibc
README.

What would be the official alternative then?

regards,
Stephane

Revision history for this message
Kees Cook (kees) wrote :

CVE-2010-0826

Kees Cook (kees)
Changed in libnss-db (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
Changed in libnss-db (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
Changed in libnss-db (Ubuntu Karmic):
assignee: nobody → Kees Cook (kees)
Changed in libnss-db (Ubuntu Intrepid):
assignee: nobody → Kees Cook (kees)
Changed in libnss-db (Ubuntu Hardy):
assignee: nobody → Kees Cook (kees)
Changed in libnss-db (Ubuntu Karmic):
importance: Undecided → Medium
Changed in libnss-db (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in libnss-db (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in libnss-db (Ubuntu Hardy):
importance: Undecided → Medium
Changed in libnss-db (Ubuntu Dapper):
importance: Undecided → Medium
status: New → Confirmed
Changed in libnss-db (Ubuntu Hardy):
status: New → Confirmed
Changed in libnss-db (Ubuntu Intrepid):
status: New → Confirmed
Changed in libnss-db (Ubuntu Jaunty):
status: New → Confirmed
Changed in libnss-db (Ubuntu Karmic):
status: New → Confirmed
visibility: private → public
Changed in libnss-db (Ubuntu Dapper):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-db - 2.2.3pre1-3.1ubuntu3

---------------
libnss-db (2.2.3pre1-3.1ubuntu3) lucid; urgency=low

  * SECURITY UPDATE: allows reading of arbitrary file contents (LP: #531976)
    - Add 200-set-db-environment.dpatch: set environment correctly.
    - CVE-2010-0826
 -- Kees Cook <email address hidden> Mon, 29 Mar 2010 15:48:19 -0700

Changed in libnss-db (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-db - 2.2.3pre1-3ubuntu3.9.10.2

---------------
libnss-db (2.2.3pre1-3ubuntu3.9.10.2) karmic-security; urgency=low

  * SECURITY UPDATE: allows reading of arbitrary file contents (LP: #531976)
    - Add 200-set-db-environment.dpatch: set environment correctly.
    - CVE-2010-0826
 -- Kees Cook <email address hidden> Tue, 30 Mar 2010 10:41:17 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-db - 2.2.3pre1-3ubuntu3.9.04.2

---------------
libnss-db (2.2.3pre1-3ubuntu3.9.04.2) jaunty-security; urgency=low

  * SECURITY UPDATE: allows reading of arbitrary file contents (LP: #531976)
    - Add 200-set-db-environment.dpatch: set environment correctly.
    - CVE-2010-0826
 -- Kees Cook <email address hidden> Tue, 30 Mar 2010 10:41:17 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-db - 2.2.3pre1-3ubuntu1.8.10.2

---------------
libnss-db (2.2.3pre1-3ubuntu1.8.10.2) intrepid-security; urgency=low

  * SECURITY UPDATE: allows reading of arbitrary file contents (LP: #531976)
    - Add 200-set-db-environment.dpatch: set environment correctly.
    - CVE-2010-0826
 -- Kees Cook <email address hidden> Tue, 30 Mar 2010 10:41:17 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-db - 2.2.3pre1-3ubuntu1.8.04.2

---------------
libnss-db (2.2.3pre1-3ubuntu1.8.04.2) hardy-security; urgency=low

  * SECURITY UPDATE: allows reading of arbitrary file contents (LP: #531976)
    - Add 200-set-db-environment.dpatch: set environment correctly.
    - CVE-2010-0826
 -- Kees Cook <email address hidden> Tue, 30 Mar 2010 10:41:17 -0700

Changed in libnss-db (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in libnss-db (Ubuntu Intrepid):
status: Confirmed → Fix Released
Changed in libnss-db (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in libnss-db (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in libnss-db (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.