Date: Fri, 14 Feb 2014 11:50:29 -0500 (EST) From: cve-assign@...re.org To: helmut@...divi.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738855 > Message #34 This message starts by discussing initscripts, but ends by discussing a CVE assignment for systemd. That CVE assignment would potentially be reasonable, but we wanted to first clarify what is being asked. We think you mean: - adding a patch to initscripts to introduce more compatibility between initscripts and systemd may be considered a security enhancement, and probably would not be considered a vulnerability fix, so no CVE ID is being requested for a problem in the unpatched initscripts code - this systemd commit http://cgit.freedesktop.org/systemd/systemd/commit/src/core/killall.c?id=bd3fa1d2434aa28564251ac4da34d01537de8c4b introduced the killall.c file. In the first version of this file, the /* Non-root processes otherwise are always subject to be killed */ if (uid != 0) return false; ... /* Processes with argv = '@' we ignore from the killing * spree. * * http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons */ if (count == 1 && c == '@') return true; return false; code was included. - you are proposing that the above "return true" line is a vulnerability because it may allow a not-fully-privileged root user to cause data loss. This could possibly have one CVE ID. One of the arguments against assigning a CVE ID is that this "return true" could have been an intentional tradeoff between perfect privilege checking and design complexity. For environments with not-fully-privileged root users, we're not sure whether there's general acceptable of a guideline that OS components must never contain any program logic to make any security-relevant decision on the basis of the uid value. - versions of systemd before bd3fa1d2434aa28564251ac4da34d01537de8c4b, in which killall.c did not exist, may have had other problems because the right processes were not killed at the right times. This could possibly have a second CVE ID if there were security implications. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS/kjTAAoJEKllVAevmvmsNHQH/AlPmrhJVIatj4vPKWj8bPSj Te1Yc9/kU3Z/Ox7zu4tM7HpAK4ZlNk1NNl8trgICnc0dMcbcv/KjL5wj/g9AzLTk GR1ItUF6JtiyTrEfP/WhaH1DEkKn3p5/XvBWdzd+0+cxFVoBnvYwMtXWv2vWsLPQ QRSOeInvqYQtpaetXUA3TNATd9FjTBCX8xYwj1rPAee0cQ3CSeE4+HckG5hCtvct aJ0/F6SuiSBzc3BvlmZC+8QPptYc6XrcSdkXDB11dkqeDJ4jXGRL+IBTYS2rfEWl xg44LbowiUjoN/4gieZZsrHVgAdhGi404HiediU5qorDFSrc7Dcmk4/xHWLcYqU= =BYck -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ