Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 May 2014 04:07:32 -0400 (EDT)
From: cve-assign@...re.org
To: zanchey@....gu.uwa.edu.au
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Upcoming security release of fish 2.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> There is also a symlink attack that doesn't depend on a race condition, so we'll
> include a patch for that as well.
> 
> Could we have an additional CVE-ID assigned, please?

First, we should mention that a single CVE ID cannot be used for a set
of related issues that have different affected versions. For the
earlier message that mentioned CVE-2014-2906 and CVE-2014-2914,
approximately two more CVE IDs will be needed. We will send those
later.

For "a symlink attack that doesn't depend on a race condition,"
ultimately the answer is yes, you can have a separate CVE ID - use
CVE-2014-3219. Probably at least a few oss-security readers would want
us to explain why, so here's the explanation for them.

When there are discoveries of two instances of essentially the same
composite, and there's any difference in the set of weaknesses for
those two instances, we might want to have a general rule that two
separate CVE IDs are always assigned. In practice, the Symlink
Following composite is treated as somewhat of a special case in CVE.
If we have one Symlink Following instance associated with two
weaknesses, and a different Symlink Following instance associated with
three weaknesses, we sometimes assign only one CVE ID. Possibly we
will reevaluate that. (There's also often a complication that the
available information is only that distinct Symlink Following
instances exist; the information about the weaknesses is missing.)

For the code fixed in the
https://github.com/fish-shell/fish-shell/commit/c0989dce2d882c94eb3183e7b94402ba53534abb
commit, an additional factor is that the Symlink Following composite
exists and is relevant, but there's a more important attack that does
not rely on Symlink Following. In between when the temporary filename
is chosen and when the temporary filename is used, the attacker can
place something at the temporary pathname. One option is a symlink,
and fish will follow that symlink and perhaps overwrite an important
file. Another option is a plain world writable file. In that case,
fish writes to the file, but the attacker can change the contents of
the file immediately before fish proceeds to execute the file. Thus,
even if we did the abstraction based on "same commonly used composite
name," we would still end up with a different CVE ID than for the new
"symlink attack that doesn't depend on a race condition" report,
because the pre-c0989dce2d882c94eb3183e7b94402ba53534abb code isn't
solely characterized by a Symlink Following composite. Finally, we
probably don't want to have two CVE IDs for a single case where mktemp
is introduced - even when both Symlink Following and (roughly
speaking) code injection are possible from the same set of weaknesses.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTaJe2AAoJEKllVAevmvmsY9sH/16M8V8sd3hQcGuTUQOqm1Zs
jXH8T1xsy+Jof6NWJLzS+hcRS6LQOd02KMEyKow5Zr0kKICuJhU/eUTPiU+Uc9Da
tkVz7sRv+GqJ1rect5JrwaygWLvjMG7ohZ0qtRhuqHJL3oVjwTyQlbfrITBRVfzy
JtG3C0Pgx5q0w7kgcTLt99DZNrCnqY6xH765XBdL5Xr9J644qRRXX/u5hBgCoN9L
xhgSkvMghvwzL1lpZjMWMIys4RuQqk73xfQ+OxEoo8Fz2czhvwH/poU51hvdpbRs
1c9Hl/M8OWOVfCNKmVi9ejFYK1QME74LlkPI6kjjepDRagkuFYHpPEZZuWoenD4=
=FOxU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.