Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 May 2010 18:26:26 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security <oss-security@...ts.openwall.com>
CC: Tim Bunce <Tim.Bunce@...ox.com>, Rafael Garcia-Suarez <rgs@...sttype.org>,
        Tom Lane <tgl@...hat.com>
Subject: CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447
 description modification request

Hi Steve,

   this is due:

     a, [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1974

        This is duplicate CVE identifier for the Perl Safe.pm module flaw,
        CVE-2010-1168 identifier has been originally assigned to:

        [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1168

     b, [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1447

        The description of this incorrectly states, it's PostgreSQL issue, but the true
        source code base, responsible for this deficiency is Perl's Safe.pm
        implementation. The source of this confusion is:
        [4] http://www.postgresql.org/about/news.1203

Attached are advisories from my original posts to vendor-sec channel for all four issues:
i, CVE-2010-1168 Perl's Safe.pm 2.25 and below deficiency, when handling
    implicit methods:
      [5] https://bugzilla.redhat.com/show_bug.cgi?id=576508#c0

ii, CVE-2010-1169 PostgreSQL's PL/Perl deficiency, present due dependency / use of
     Perl's Safe.pm extension module:
       [6] https://bugzilla.redhat.com/show_bug.cgi?id=582615#c0

iii, CVE-2010-1170 PostgreSQL's PL/Tcl deficiency by handling autoload():
       [7] https://bugzilla.redhat.com/show_bug.cgi?id=583072#c0

iv, CVE-2010-1447 Perl's Safe.pm 2.27 and below deficiency (see attached archive for
     more information)
       [8] https://bugzilla.redhat.com/show_bug.cgi?id=588269#c0

Flaw history:
   1, Red Hat Security Response Team has been notified on 2010-03-18 with the details
      of this issue. Later CVE-2010-1168 has been assigned to this (but in that moment
      wasn't aware Rafael did already pseudo-published flaw details on his blog:
        [9] http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
   2, Later Tim Bunce identified similar deficiency in PostgreSQL's PL/Perl implementation.
      CVE-2010-1169 identifier has been assigned to this:
        [10] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1169

   3, Later Tom Lane identified similar deficiency in PostgreSQL's PL/Tcl implementation -- this
      is what CVE-2010-1170 has been assigned for:
        [11] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1170

   4, And finally, Tim Bunce and Rafael Garcia-Suarez recognized a yet another deficiency
      in Perl's Safe.pm implementation, allowing to bypass the Perl's Safe compartment constrains,
      by evaluation of unsafe code, returning returning references to subroutines, whose truly
      execution was delayed to happen later, outside of the Safe compartment.
        [12] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1447

Have checked today with Tim, there isn't any new perl Safe.pm extension module issue (besides CVE-2010-1168
and CVE-2010-1447 cases), which would desire a new CVE id (CVE-2010-1974 is dupe of CVE-2010-1168).

Steve, could you please:
   a, reject CVE-2010-1974 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1974) as a duplicate
      CVE identifier for CVE-2010-1168 and,
   b, update description of CVE-2010-1447 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1447)
      so it would reflect the true reason of the flaw, it was originally assigned for.

Hope this clarification is sufficient. In case of any doubt / need of further background information,
related with above four issues, please ask.

Thanks && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Re-sending the message again, this time without patches, as first time the post exceeded the
       limit for maximum size of the msg accepted by OSS mailer. Apologize to people in the Cc-list
       for the unintended spam :(.

Perl Safe extension module background:
======================================
The Safe extension module allows the creation of compartments
in which Perl code can be evaluated. Each compartment has:
* a new namespace

  The "root" of the namespace (i.e. "main::") is changed to
  a different package and code evaluated in the compartment cannot
  refer to variables outside this namespace, even with run-time glob
  lookups and other tricks.

* an operator mask

  Each compartment has an associated "operator mask". Code evaluated
in a compartment compiles subject to the compartment's operator mask.
Attempting to evaluate code in a compartment which contains a masked
operator will cause the compilation to fail with an error. The code
will not be executed.

CVE-2010-1168 flaw:
==================
  Safe.pm 2.24 and earlier, when used in Perl 5.10.0 and earlier,
may allow attackers to break out of safe compartment in (1) Safe::reval
or (2) Safe::rdo using (implicit) references to Perl objects in code,
compiled and executed within compartment. 
  If a victim was tricked into running a specially-crafted Perl
script, using Safe extension module, it could lead to unauthorized
access to protected information or, execution of arbitrary Perl code,
which was intended to be prohibited. 

Credit:
=======
Nick Cleaton

CVE: CVE identifier of CVE-2010-1168 has been assigned to this flaw.
====

Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17

Please do not publicly mention / discuss the information
provided in this advisory prior to that date.

This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.

Affected Perl versions:
=======================
Issue tested && confirmed in Perl of versions v5.8.x up to v5.10.x,
where version of Safe module extension is <= v2.24.

Patch / Solution:
=================
Upgrade to Perl Safe module extension v2.25 or higher.

Perl CPAN modules, which have Safe extension module as dependency (from Tim Bunce):
===================================================================================
Config-Scoped, Eval-Context, Workflow, Games-Perlwar, SNMP-Trapinfo, YAML-Logic,
Locale-TextDomain-OO, App-CPAN-Testers-Remailer, Colloquy-Data, Graph, Text::MicroMason::Safe.

PostgreSQL PL/Perl background:
==============================
PL/Perl is a loadable procedural language that enables 
to write PostgreSQL functions in the Perl programming language. 

CVE-2010-1169 flaw:
===================
A flaw was found in the way the PostgreSQL server process enforced
permission checks on scripts written in PL/Perl. A remote, authenticated
user, running a specially-crafted PL/Perl script, could use this flaw to
bypass PL/Perl trusted mode restrictions, allowing them to obtain sensitive
information; execute arbitrary Perl scripts; or cause a denial of service
(remove protected, sensitive data).

Credit:
=======
Tim Bunce

CVE: CVE identifier of CVE-2010-1169 has been assigned to this flaw.
====

Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17

Please do not publicly mention / discuss the information
provided in this advisory prior to that date.

This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.

Affected PostgreSQL versions:
=============================
Issue tested && confirmed in PostgreSQL of version v7.3.21 through
to version v9.0alpha4.

Draft patch by Tim Bunce:
========================
See patches/patch-v8.4-stable/pgsql-plperl-CVE-2010-1169-v8.4-draft.patch

Upstream backported patches to older versions of PostgreSQL:
============================================================
See patches/pgsql-rmsafe-CVE-2010-1169-patches.tar.gz.
Please read also patches/README\ --\ IMPORTANT file, as it
contains important upstream information, related with CVE-2010-1169
fix (there are some issues yet, and it's possible the final form
will be slightly different yet).

PostgreSQL PL/Tcl background:
==============================
PL/Tcl is a loadable procedural language for the PostgreSQL
database system that enables the Tcl language to be used
to write functions and trigger procedures. 

CVE-2010-1170 flaw:
===================
A flaw was found in the way the PostgreSQL server process enforced
permission checks on scripts written in PL/Tcl. A remote, authenticated
user, running a specially-crafted PL/Tcl script, could use this flaw to
bypass PL/Tcl trusted mode restrictions, allowing them to obtain sensitive
information; execute arbitrary Tcl scripts; or cause a denial of service
(remove protected, sensitive data).

Credit:
=======
Tom Lane of Red Hat

CVE: CVE identifier of CVE-2010-1170 has been assigned to this flaw.
====

Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17

Please do not publicly mention / discuss the information
provided in this advisory prior to that date.

This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.

Affected PostgreSQL versions:
=============================
Issue tested && confirmed in PostgreSQL of version v7.3.21 through
to version v9.0alpha4.

Proposed upstream patches (for various PostgreSQL versions):
===========================================================
See patches/pltcl-patches.tar.gz.

Perl Safe extension module background:
======================================
The Safe extension module allows the creation of compartments
in which Perl code can be evaluated. Each compartment has:
* a new namespace

  The "root" of the namespace (i.e. "main::") is changed to
  a different package and code evaluated in the compartment cannot
  refer to variables outside this namespace, even with run-time glob
  lookups and other tricks.

* an operator mask

  Each compartment has an associated "operator mask". Code evaluated
in a compartment compiles subject to the compartment's operator mask.
Attempting to evaluate code in a compartment which contains a masked
operator will cause the compilation to fail with an error. The code
will not be executed.

CVE-2010-1447 flaw:
===================
  Safe.pm 2.26 and earlier (except 2.20 through 2.23 if using
a threads-enabled Perl), when used in Perl 5.10.0 and earlier,
may allow attackers to break out of safe compartment in (1) Safe::reval
or (2) Safe::rdo using references to Perl objects in code executed
outside the compartment.
  If a victim was tricked into running a specially-crafted Perl
script, using Safe extension module, it could lead to unauthorized
access to protected information or, execution of arbitrary Perl code,
which was intended to be prohibited.
  Different vulnerability than CVE-2010-1168.

Credit:
=======
Tim Bunce, Rafaƫl Garcia-Suarez

CVE: CVE identifier of CVE-2010-1447 has been assigned to this flaw.
====

Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17

Please do not publicly mention / discuss the information
provided in this advisory prior to that date.

This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.

Affected Perl versions:
=======================
Issue tested && confirmed in Perl of versions v5.8.x up to v5.10.x,
where version of Safe module extension is below 2.27 (except 2.20
through 2.23 if using a threads-enabled perl).

Patch / Solution:
=================
Upgrade to Perl Safe module extension v2.27 or higher.

Perl CPAN modules, which have Safe extension module as dependency (from Tim Bunce):
==================================================================================
Config-Scoped, Eval-Context, Workflow, Games-Perlwar, SNMP-Trapinfo, YAML-Logic,
Locale-TextDomain-OO, App-CPAN-Testers-Remailer, Colloquy-Data, Graph, Text::MicroMason::Safe.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ