Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Jun 2010 07:48:41 +0300 (EEST)
From: Panu Matilainen <pmatilai@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
cc: oss-security@...ts.openwall.com, Jindrich Novy <jnovy@...hat.com>,
        Florian Festi <ffesti@...hat.com>,
        Matt McCutchen <matt@...tmccutchen.net>
Subject: Re: CVE Request -- rpm -- Fails to remove the SUID/SGID
 bits on package upgrade (RH BZ#598775)

On Thu, 3 Jun 2010, Steven M. Christey wrote:
>
> On Thu, 3 Jun 2010, Josh Bressers wrote:
>
>> I'm going to give both of these the same CVE id. The issues are very
>> related, and I had look at the CWE guide, they both seem to fall under
>> "CWE-281: Improper Preservation of Permissions"
>> 
>> Steve, feel free to overrule me on this one.
>
> At a low level of granularity, it can be overkill to distinguish between 
> closely-related flaw types.
>
> The factor of concern here is that Red Hat bug 598775 suggests that the first 
> variant was committed to a changeset, but not the second.  I can't (quickly) 
> assess whether upstream committed changes for both variants, but if there's 
> only a commit for the first one (and a public release), then maybe we 
> consider these bugs as "almost-but-not-quite the same version" and assign a 
> separate CVE.

The second part about POSIX file capabilities was realized shortly 
afterwards while thinking of possible other similar cases, and has been 
fixed too now:
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=4d172a194addc49851e558ea390d3045894e3230

To my knowledge no distro actually uses the file capability support in RPM 
though.

 	- Panu -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ