Fixing wg-quick's DNS= directive with a hatchet
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Oct 30 13:16:22 CET 2017
On Sun 2017-10-29 23:06:31 +0100, Jason A. Donenfeld wrote:
> By the way, the program you wrote introduces a trivial local privilege
> escalation vulnerability into Debian, since not all available
> providers of the resolvconf binary set PATH themselves. Always clear
> environment variables yourself before exec'ing anything in an suid
> executable.
Thanks for this report, it should be fixed in resolvconf-admin 0.3.
This is a bad failure in the filtering that resolvconf-admin is supposed
to provide.
I note that the privilege escalation vulnerability was for any code that
would normally have been running as root anyway without resolvconf-admin
-- so it leaves systems no worse than they'd been without
resolvconf-admin (since no user is added to the resolvconf-admins group
by default). But it's definitely a bad failure mode, given the design
and intent of resolvconf-admin.
I appreciate the catch! Please don't hesitate to report any other
similar problems.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20171030/3ff07237/attachment.asc>
More information about the WireGuard
mailing list