delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2016/04/19/15:40:52

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:from:subject:to:message-id:date
:mime-version:content-type:content-transfer-encoding; q=dns; s=
default; b=LkfXRFUEQld4ijt4hQaFS1c6jj1oG8SFAoELcp0TBoKwcHyq1FqrF
Hld4iOVY2ZcegOYssNqorQPHb9MS2jAYD/4aG30MLxuHS49EbW8WmrucXbKMdHMX
1ZcPwr6jRenNflzBhIXyoQzzJoNWVqc2rtUWt/FuFp/pEII7VW6I4s=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:from:subject:to:message-id:date
:mime-version:content-type:content-transfer-encoding; s=default;
bh=9L8Apmwwkbrn5XktU2YdQsSe3uw=; b=fDmbRT/Cyhfxsqk6AanYNJQPDnik
U6z7IBgu2kJfuD4pFuUQjQKzxjRwxhKTPMe8yc1UM08Luqj6KE124CS5bk3dbREY
mNAZIXkknIyncIJjhMdhzWayBwy3RoCD81HMkv8Ak16qBFSoUOGBFZKoHIvMmVN7
HJ/DNNdI52xvI30=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-HELO: localhost.localdomain
Reply-To: cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=H*MI:cygwin, H*M:cygwin, networks, shares
From: Yaakov Selkowitz <yselkowitz AT cygwin DOT com>
Subject: [ANNOUNCEMENT] CVE-2016-3067: network privilege escalation in Cygwin set(e)uid
To: cygwin AT cygwin DOT com
Message-Id: <announce.571688E6.7000908@cygwin.com>
Date: Tue, 19 Apr 2016 14:37:10 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
X-IsSubscribed: yes 

In versions of Cygwin prior to 2.5.0, a process which switched user 
contexts on a system where neither the Cygwin LSA module was enabled, 
nor the user password stored thereon with 'passwd -R', would retain the 
network credentials of the original user context even after switching. 
In the case of system services, such as a user which logged into a 
Cygwin SSHD or a command run from a cronjob, this would allow access to 
networks shares to which the system service account (normally 
'cyg_server', which is in the Administrators group) has access but to 
which the user would otherwise be denied.

This issue was reported[1][2] by David Willis on 2016-Feb-08 and a fix 
committed[3] to the upstream repository by Corinna Vinschen on 
2016-Feb-18.  The fix was first included in the 2.5.0-0.4 test release 
on the same day[4] and in the 2.5.0-1 stable release which shipped[5] on 
2016-Apr-11.

Red Hat Product Security has assigned CVE-2016-3067 for this issue.

[1] https://cygwin.com/ml/cygwin/2016-02/msg00101.html
[2] https://cygwin.com/ml/cygwin/2016-02/msg00129.html and thread
[3] 
https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=205862ed08649df8f50b926a2c58c963f571b044
[4] https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html
[5] https://cygwin.com/ml/cygwin-announce/2016-04/msg00020.html

-- 
Yaakov

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019