Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Sep 2012 14:10:39 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com, Damien Stuart <dstuart@...uart.org>,
        Michael Rash <mbr@...herdyne.org>
Subject: CVE Request -- fwknop 2.0.3: Multiple security issues

Hello Kurt, Steve, vendors,

  multiple securit issues have been corrected in 2.0.3 upstream version of
fwknop (http://www.cipherdyne.org/blog/categories/software-releases.html):
---------------------------------------------------------------------------
1) multiple DoS / code execution flaws:
   Upstream patch:
   [1] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22

2) server did not properly validate allow IP addresses from malicious
   authenticated clients
   Upstream patch:
   [2] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799

3) strict filesystem permissions for various fwknop files are not verified
4) local buffer overflow in --last processing with a maliciously constructed ~/.fwknop.run file
   Upstream patch:
   [3] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc

For the remaining ones:
=======================
5) several conditions in which the server did not properly throw out maliciously constructed variables in the access.conf file
   Upstream patch:
   [4] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e2c0ac4821773eb335e36ad6cd35830b8d97c75a

   Note: This doesn't look like a security flaw (previously possible to provide malicious values
   to access.conf file, but I assume it would required administrator privileges).

6) [test suite] Added a new fuzzing capability to ensure proper server-side input validation.
   Note: Test-suite add-on, no CVE needed.

7) Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local and
   install-exec-hook stages in Makefile.am.
   Upstream patch:
   [5] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=c5b229c5c87657197b0c814ff22127d870b55753
   
   Note: Also doesn't look like a fix for a security flaw.

Could you allocate CVE ids for issues 1), 2), 3), and 4) ?

[Cc-ed Damien and Michael from fwknop upstream to confirm
they {the first four} should receive a CVE identifier].

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ