Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 May 2014 14:21:19 -0400 (EDT)
Subject: Re: Upcoming security release of fish 2.1.1

Hash: SHA1


> First, we should mention that a single CVE ID cannot be used for a set
> of related issues that have different affected versions. For the
> earlier message that mentioned CVE-2014-2906 and CVE-2014-2914,
> approximately two more CVE IDs will be needed. We will send those
> later.

>> CVE-2014-2906: fish temporary file creation vulnerable to race condition
>> leading to privilege escalation
>>   Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files,
>>   allowing privilege escalation to those of any user running fish, including
>>   root.
>>   Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive),
>>   fish will read data using the psub function from these temporary files,
>>   meaning that the input of commands used with the psub function is under the
>>   control of the attacker.

This actually needs two CVE IDs because there are two affected
functions, with different sets of affected versions. (For example,
there is a psub vulnerability in version 1.22.0, but there is no
funced vulnerability in 1.22.0 because funced didn't yet exist.)

For the psub vulnerability, please continue to use CVE-2014-2906.

For the funced vulnerability, please use CVE-2014-3856.

>>   fish version 2.1.1 restricts incoming connections to localhost only. At this
>>   stage, users should avoid running fish_config on systems where there are
>>   untrusted local users, as they are still able to connect to the fish_config
>>   service and elevate their privileges to those of the user running
>>   fish_config.

At present, we're not assigning an additional CVE ID for this "local
users ... elevate their privileges" issue. Our interpretation is that
you're not trying to make an announcement that 2.1.1 is a vulnerable
version. Instead, you're trying to document the machine environment on
which fish_config in 2.1.1 can be safely used (i.e., machines with
untrusted local users are not fully supported for fish_config at the
moment). If you actually wanted a CVE ID for versions 2.1.1 and
earlier, referring to the fish_config attack by local users, please
let us know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ