Date: Fri, 4 Jun 2010 07:48:41 +0300 (EEST) From: Panu Matilainen <pmatilai@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> cc: oss-security@...ts.openwall.com, Jindrich Novy <jnovy@...hat.com>, Florian Festi <ffesti@...hat.com>, Matt McCutchen <matt@...tmccutchen.net> Subject: Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) On Thu, 3 Jun 2010, Steven M. Christey wrote: > > On Thu, 3 Jun 2010, Josh Bressers wrote: > >> I'm going to give both of these the same CVE id. The issues are very >> related, and I had look at the CWE guide, they both seem to fall under >> "CWE-281: Improper Preservation of Permissions" >> >> Steve, feel free to overrule me on this one. > > At a low level of granularity, it can be overkill to distinguish between > closely-related flaw types. > > The factor of concern here is that Red Hat bug 598775 suggests that the first > variant was committed to a changeset, but not the second. I can't (quickly) > assess whether upstream committed changes for both variants, but if there's > only a commit for the first one (and a public release), then maybe we > consider these bugs as "almost-but-not-quite the same version" and assign a > separate CVE. The second part about POSIX file capabilities was realized shortly afterwards while thinking of possible other similar cases, and has been fixed too now: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=4d172a194addc49851e558ea390d3045894e3230 To my knowledge no distro actually uses the file capability support in RPM though. - Panu -
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ