Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add advisory for stack buffer overflow with whoami #1911

Merged
merged 3 commits into from
Mar 5, 2024

Conversation

sunshowers
Copy link
Contributor

@sunshowers sunshowers commented Mar 5, 2024

See:

Questions:

  • Some other Unix platforms may also be affected. It's hard to enumerate a full list here, but happy to add them as they come to mind for people.

Copy link
Member

@Shnatsel Shnatsel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the report! Just a few minor tweaks and it's ready to go!

crates/whoami/RUSTSEC-0000-0000.md Outdated Show resolved Hide resolved
[affected]
# Solaris is also probably affected, as are other Unix OSes that aren't any of:
# linux, macos, freebsd, dragonfly, bitrig, openbsd, netbsd
os = ["illumos"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
os = ["illumos"]
os = ["illumos","solaris"]

FYI the full lists of recognized platforms can be found at https://docs.rs/platforms/latest/platforms/target/enum.OS.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I just wasn't sure whether Solaris is affected because I don't have access to their man pages or a running machine.

From https://docs.rs/platforms/latest/platforms/target/enum.OS.html I can't tell what the other Unix platforms are.

I'm also unsure whether the other Apple platforms (iOS, tvOS, watchOS?) are affected. They would probably be affected if it was possible to build and run binaries with whoami on them, but I don't know if that's the case in reality.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add Solaris because the preponderance of evidence suggests it is affected.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The platforms crate doesn't expose the unix-ness right now, even though rustc is aware of it. So I've written a shell script to list all Unix OSs:

rustc --print=target-list | while read TARGET; do rustc --print=cfg --target="$TARGET" | grep -q 'unix' && rustc --print=cfg --target="$TARGET" | grep 'target_os' | cut -d '=' -f 2-; done | sort -u

This is the result:

"aix"
"android"
"dragonfly"
"emscripten"
"espidf"
"freebsd"
"fuchsia"
"haiku"
"horizon"
"hurd"
"illumos"
"ios"
"l4re"
"linux"
"macos"
"netbsd"
"nto"
"openbsd"
"redox"
"solaris"
"tvos"
"vita"
"vxworks"
"watchos"

Copy link
Contributor Author

@sunshowers sunshowers Mar 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, so some of those of those platforms would also be affected and I guess the advisory may need to be updated. Any platform where the passwd struct doesn't match Linux's, and isn't part of the other named list of platforms, is affected.

I went through a few of them by hand:

  • AIX is accidentally okay because the passwd struct matches Linux.
  • Fuchsia is okay, I think? I can't find the source code but this struct has all the fields, though they're in alphabetical order.
  • Android is okay per this struct.

It's hard to go through every single platform, so if you have suggestions for a better way to do this, or some kind of other catch-all, I'd love that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The advisory db format doesn't support platform selectors, only a list.

Sadly I am not aware of a resource that would aggregate and/or diff the C APIs from different platforms.

@Shnatsel Shnatsel merged commit 7af45b5 into rustsec:main Mar 5, 2024
1 check passed
@sunshowers sunshowers deleted the whoami branch March 5, 2024 01:40
@AldaronLau
Copy link

Would it be important to note that this doesn't affect whoami < 0.5.3 (from 5 years ago)?

This is also a problem on freebsd, dragonfly, bitrig, openbsd, netbsd with whoami >= 0.5.3, < 1.0.1 (not sure if that would count separately from this or not).

@AldaronLau
Copy link

Also just noticed this affects not only whoami::username(), but additionally whoami::realname(), whoami::username_os(), and whoami::realname_os().

@Shnatsel
Copy link
Member

Shnatsel commented Mar 5, 2024

Yes, that would be useful. We have the unaffected field for that.

@sunshowers
Copy link
Contributor Author

Thanks. I'll send an update shortly.

sunshowers added a commit to sunshowers/rustsec-advisory-db that referenced this pull request Mar 5, 2024
Add information about more platforms affected, per
rustsec#1911 (comment).
Shnatsel pushed a commit that referenced this pull request Mar 6, 2024
* update RUSTSEC-2024-2020 with additional information

Add information about more platforms affected, per
#1911 (comment).

* fix syntax

* update affected.os

* remove bitrig
EliahKagan added a commit to EliahKagan/advisory-db that referenced this pull request Jan 18, 2025
This builds on rustsec#2193 by listing all Unix-like target operating
systems as affected (since a category of OSes like "unix" cannot
currently be represented in RUSTSEC advisory metadata).

The list was obtained by running the command given in:
rustsec#1911 (comment)

The vulnerability is specific to Unix-like operating systems
because:

- The vulnerable code runs only in the `unix` build configuration.

- 0777 permissions are meaningful on such systems and (due to
  containing 0002) allow any user account on the system to write.

Therefore, if there are any Unix-like systems where Unix-style
filesystem permissions are not used, or that are *truly* single
user (i.e. do not use multiple user accounts, not even for running
daemons with limited privileges), then this vulnerability would not
affect such systems.

In addition, I have not attempted specifically to run the proof of
concept for the vulnerability on most of the listed operating
systems, nor examined whether `gix-worktree-state` might not be
usable on some of them for reasons unrealted to this vulnerability.

Conversely, if new target OSes are added in the future, and they
are Unix-like, then they would probably be vulnerable, even though
not listed here. (It may not be likely that anyone would be using
an affected version of `gix-worktree-state` by that time, though.)
Shnatsel pushed a commit that referenced this pull request Jan 18, 2025
This builds on #2193 by listing all Unix-like target operating
systems as affected (since a category of OSes like "unix" cannot
currently be represented in RUSTSEC advisory metadata).

The list was obtained by running the command given in:
#1911 (comment)

The vulnerability is specific to Unix-like operating systems
because:

- The vulnerable code runs only in the `unix` build configuration.

- 0777 permissions are meaningful on such systems and (due to
  containing 0002) allow any user account on the system to write.

Therefore, if there are any Unix-like systems where Unix-style
filesystem permissions are not used, or that are *truly* single
user (i.e. do not use multiple user accounts, not even for running
daemons with limited privileges), then this vulnerability would not
affect such systems.

In addition, I have not attempted specifically to run the proof of
concept for the vulnerability on most of the listed operating
systems, nor examined whether `gix-worktree-state` might not be
usable on some of them for reasons unrealted to this vulnerability.

Conversely, if new target OSes are added in the future, and they
are Unix-like, then they would probably be vulnerable, even though
not listed here. (It may not be likely that anyone would be using
an affected version of `gix-worktree-state` by that time, though.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants