Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Sep 2012 00:58:59 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Raphael Geissert <geissert@...ian.org>, Tomas Hoger <thoger@...hat.com>
Subject: Re: CVE request: opencryptoki insecure lock files
 handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2012 10:50 PM, Raphael Geissert wrote:
> On Thursday 20 September 2012 09:10:14 Tomas Hoger wrote:
>> Ok, so I think we need 1 CVE for the two insecure temporary file
>> uses, unless we want to split each temporary file issue under a
>> separate CVE.  I don't believe there's a real need to assign CVE
>> for 2.4.1 (which did not improve things on systems with world
>> writable /var/lock) or 2.4.2 (which re-opens the attack for
>> pkcs11 group members on systems with restricted /var/lock, but
>> improves things on systems with world writable /var/lock).
> 
> I think two ids is more appropriate given that the issue isn't
> fixed in 2.4.1 for systems with world writable /var/lock. 2.4.2, on
> the other hand, covers boths scenarios (given that pkcs11 group
> membership is already considered root-equivalent.)
> 
> Regards,

Apologies for the late reply.

I'm going to assign 2 CVE's:

Please use CVE-2012-4454 for opencryptoki insecure lock files handling
in /tmp in 2.4.0

Please use CVE-2012-4455 for opencryptoki insecure lock files handling
in /var/tmp in 2.4.1


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQY/kzAAoJEBYNRVNeJnmT4OQQAKii/9ecdhbj1nYL2hLo8Wd/
SW1Ss8yKRmo6MiwjHjguQ/gaGz2e09zZ5lMgyFNd5eOSNV6kqf+9W3ISXGufMOOx
H/cJaI9WnagH/p0C2B4laLUUN3JN3UMjPPipnjMq/lGSGhT+YR1FzLlMXakmS9GX
e+0D8SUiI6UHlkbrLf+gOibujWl8xjYyvxWdpokf4OATertAEEYvZPWkyCEfJ7re
F4ffgA7VdgZk8XjHlNuTjRNdJtDmZIbY/KvqMEic6xBwLvwymMUWYIiJcHAIEUZ9
XlG7gEnmKx6IwSFr4WDfRwHCXRDTf21KD10yXa1iJgign+tsnKmvSgj9Ny4HezTi
gj/J9oKphTW/SKyStf70mAsLXS3IWiuhx+jwSQwzwQIV5IaDoklj/EpEiCeOxb52
UXulCPDl5PnveaKeQ3s6/IWSd7VgskXExdO3D8hz1Ka0A+5oaXHXwuGJo/niY/kL
u3ljlqJ6XUUDSk9r+3eZaPL6szh8AFUrLNuALgVAYJTIoSh3xhgXwD1+ccLKt6et
8oY/2GeTrsK1fMSp2X0C42WXc62NGfG1ecSEcXpU/6DuoBUxYYEPdppsTEK1tzdc
JIDcVV9ZIF0AcQvuhUpNpVlV+nnHtBuLkOWgvoNsy9Z9A61ZJkhpIJtxns09zc4E
oMWWJjtWa+MN86VVKvfj
=UaY/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ