Closed alejandro-colomar closed 4 months ago
I tested a few other commands, and it seems like su was the only one that allowed messages to go to auth.log. To summarize the issue I sent in my email, su was allowing an attacker message to go to /var/log/auth.log without checking if it had newlines or escape sequences.
A quick PoC:
#include<stdio.h>
#include<unistd.h>
int main(){
char* prog = "/usr/bin/su";
char* argv[] = {"\033[33mYellow", "root", NULL};
char* envp[] = {NULL};
execve(prog, argv, envp);
printf("Failed to exec\n");
}
False alarm. I'll close the issue while there's nothing to fix.
The plans for the next moon are alive again. Maybe even earlier, if possible.
And it seems we already have cheese for this. Let's release .7 on the next full moon after the first patches are ready; so possibly on 2024-03-25.
Cc: @skyler-ferrante