Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 May 2014 14:21:19 -0400 (EDT)
From: cve-assign@...re.org
To: zanchey@....gu.uwa.edu.au
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Upcoming security release of fish 2.1.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://openwall.com/lists/oss-security/2014/05/06/3

> First, we should mention that a single CVE ID cannot be used for a set
> of related issues that have different affected versions. For the
> earlier message that mentioned CVE-2014-2906 and CVE-2014-2914,
> approximately two more CVE IDs will be needed. We will send those
> later.

>> CVE-2014-2906: fish temporary file creation vulnerable to race condition
>> leading to privilege escalation
>> 
>>   Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files,
>>   allowing privilege escalation to those of any user running fish, including
>>   root.
>> 
>>   Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive),
>>   fish will read data using the psub function from these temporary files,
>>   meaning that the input of commands used with the psub function is under the
>>   control of the attacker.

This actually needs two CVE IDs because there are two affected
functions, with different sets of affected versions. (For example,
there is a psub vulnerability in version 1.22.0, but there is no
funced vulnerability in 1.22.0 because funced didn't yet exist.)

For the psub vulnerability, please continue to use CVE-2014-2906.

For the funced vulnerability, please use CVE-2014-3856.


>>   fish version 2.1.1 restricts incoming connections to localhost only. At this
>>   stage, users should avoid running fish_config on systems where there are
>>   untrusted local users, as they are still able to connect to the fish_config
>>   service and elevate their privileges to those of the user running
>>   fish_config.

At present, we're not assigning an additional CVE ID for this "local
users ... elevate their privileges" issue. Our interpretation is that
you're not trying to make an announcement that 2.1.1 is a vulnerable
version. Instead, you're trying to document the machine environment on
which fish_config in 2.1.1 can be safely used (i.e., machines with
untrusted local users are not fully supported for fish_config at the
moment). If you actually wanted a CVE ID for versions 2.1.1 and
earlier, referring to the fish_config attack by local users, please
let us know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTf5E1AAoJEKllVAevmvmsNNgH/RtEQqNw/fO8nSASDKJpOUpM
WAcq4mfHZ6nYfg2RkTSM++LSRQ0WRozU4/qzgXDwPDkE3mW7Dg2Y3Vjjse2eQUkg
rqGkJ7L6RoIpciixXqRMtYx8M9GWBKJWjkye7jcmrqoDGhXOP4rxfeHQanlzGsr4
UyefbVhX7AtwTYvm+5yzuCsNDzC/Enc2VtZmbIaq1/V6dlJD0dy4VaxPERL+4juP
jXSMajJ8+v4IOTrbcvWSYkGUSrH0D2jCAba7nLF+jT55vfpQRPI0lmi67/BVbfBD
hN3Tu8cviJv1XSNzGZc71XlwZm3qe10tO0oFmh4KgFxe/Tu+tnQIGnADPqEW4n0=
=hj0E
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ