Changes between Initial Version and Version 1 of Ticket #4074


Ignore:
Timestamp:
Feb 5, 2017, 12:39:29 AM (7 years ago)
Author:
fsincos
Comment:

Disclaimer: I'm definitely not a security expert (I'm actually a mathematician, my programming "competence" is mostly "by proxy"), so what I write here might not make sense.

I've searched the source code and found "setuid" in the following places:

  • ./binaries/data/mods/public/simulation/ai/common-api/shared.js and entitycollection.js.

These seem to not be the real deal*.

  • gloox, again, probably not the real thing*.
  • mongoose. We use a version from 2011(!), since then the development seems to have moved from Hg to git (https://github.com/cesanta/mongoose seems to be where it's now) and, obviously, the source code is completely different. It says it's an embedded web server library; I know very little about these things so I can't help with updating it.
  • These seem to be custom functions that set a variable called _uid or m_uid.

The situation for "gethostbyname" is as follows:

  • mongoose is at it again.

So, to conclude, the culprit is likely that ancient version of mongoose (and who can blame it, back then people were still typing on stone tablets). It would be an "easy" fix to update it, but since this kind of thing is going to be (and already is for some other libraries we use) a recurring theme, we should probably also create a wiki page (or something like it) where third party libraries are tracked together with their upstream locations, related bugs/issues (e.g. this) and our porting/updating/staging/... branches. Or, if that already exists, it should be way more front-and-center (I couldn't find it on the Wiki at a quick glance).

I'd like to apologize. It's certainly not ideal that security concerns/bugs (however exploitable they might be) stand unanswered for this long. It's also unfortunate that little effort went into keeping up with (some) third-party library updates. There is no point in laying blame somewhere, I just hope we can make sure these problems get fixed before they blow up in our faces.

PS: I'm slightly pissed that I had to step way out of my area of competence here because some people think it's cool to ignore a distribution's maintainer for our package or something. It's possible it was decided to keep the fix private/secret until it was ready; anyway, you could have at least written something like "acknowledged" or a more informed version of what I cobbled together.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #4074 – Description

    initial v1  
    11When compiling 0AD (alpha 20) for openSUSE I get following warning about a potential security issue:
    2 
    32{{{
    43W: missing-call-to-setgroups-before-setuid /usr/bin/pyrogenesis
     
    87for details about the problem.
    98}}}
    10 
    119And also I get this warning:
    12 
    1310{{{
    1411I: binary-or-shlib-calls-gethostbyname /usr/bin/pyrogenesis
    1512The binary calls gethostbyname(). Please port the code to use getaddrinfo().
    1613}}}
    17 
    1814gethostbyname should not be used because it does not support IPv6 and in the near future there might be some IPv6 only networks (e.g. at the moment my provider only gives me an IPv6 range and IPv4 only as carrier-grade-nat).