Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 23 Sep 2008 21:51:44 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com, oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: CVE Request (openswan, emacspeak, cman)


On Thu, 18 Sep 2008, Jan Lieskovsky wrote:

> a, openswan: Insecure auxiliary /tmp file usage (symlink attack possible)
>    Affected file: /usr/libexec/ipsec/livetest
>    References: https://bugzilla.redhat.com/show_bug.cgi?id=460425
>                http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374

Use CVE-2008-4190.

There's probably also a second-order symlink vulnerability in the call to
wget using ipsec.olts.remote.log as an output file.  Has that been
addressed/investigated?

Note to source auditors - pay close attention to second-order symlinks, I
bet they're hidden in a lot of places.

> b, emacspeak: Insecure auxiliary /tmp file usage (symlink attack possible)
>    Affected file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
>    References: https://bugzilla.redhat.com/show_bug.cgi?id=460435
>                http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496431

Use CVE-2008-4191.

> c, cman: Insecure auxiliary /tmp file usage (symlink attack possible)
>    Affected file: /sbin/fence_egenera
>    References: https://bugzilla.redhat.com/show_bug.cgi?id=460476
>                http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496410

Use CVE-2008-4192, to be filled in later.

- Steve


======================================================
Name: CVE-2008-4190
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4190
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=460425
Reference: BID:31243
Reference: URL:http://www.securityfocus.com/bid/31243
Reference: XF:openswan-livetest-symlink(45250)
Reference: URL:http://xforce.iss.net/xforce/xfdb/45250

The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local
users to overwrite arbitrary files and execute arbitrary code via a
symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log
temporary files.


======================================================
Name: CVE-2008-4191
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4191
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496431
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=460435
Reference: BID:31241
Reference: URL:http://www.securityfocus.com/bid/31241
Reference: SECUNIA:31880
Reference: URL:http://secunia.com/advisories/31880
Reference: XF:emacspeak-extracttable-symlink(45237)
Reference: URL:http://xforce.iss.net/xforce/xfdb/45237

extract-table.pl in Emacspeak 26 and 28 allows local users to
overwrite arbitrary files via a symlink attack on the
extract-table.csv temporary file.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ