Date: Fri, 15 Aug 2014 04:24:43 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, steve@...ve.org.uk, xcfa@...family.org Subject: Re: CVE request: xcfa: Insecure use of temporary files, subject to race conditions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugs.debian.org/756600 As mentioned in the http://openwall.com/lists/oss-security/2014/05/06/3 post, the Symlink Following composite is treated as somewhat of a special case in CVE. This doesn't, for example, mean that all problematic uses of files in /tmp are always covered by a single CVE ID. >> rm /tmp/index.html >> any existing file called /tmp/index.html will be removed regardless This may be an issue that is typically treated as a usability problem (or maybe a documentation problem), not a security problem. The rm program should remove /tmp/index.html - it should not remove the target of a /tmp/index.html symlink. (If there is a race condition within an implementation of rm, that would not be an xcfa vulnerability.) Ideally, xcfa would not remove /tmp/index.html because /tmp/index.html might be an important file unrelated to xcfa. However, there doesn't seem to be a way to design an "attack" in the traditional sense, and /tmp/index.html isn't a filename that would be important in typical cases. For example, if I have a critical file named file.txt~ and a less important file named file.txt, and I decide to modify file.txt with emacs, then file.txt~ is overwritten with no warning. This is typically not considered an emacs vulnerability. https://bugs.debian.org/756600 covers a number of Symlink Following issues that allow overwriting files. Use CVE-2014-5254 for all of these. >> fp = fopen ("/tmp/get_infos_dvd.sh", "w"); >> >> fprintf (fp, "#!/bin/sh\n"); >> fclose (fp); >> system ("chmod +x /tmp/get_infos_dvd.sh"); >> >> system ("/tmp/get_infos_dvd.sh"); This one doesn't seem to be necessarily a Symlink Following issue. At the instant of the fopen, /tmp/get_infos_dvd.sh might be a plain file (not a symlink), owned by the attacker but with 0777 permissions. The fopen/fprintf/fclose would succeed, and the chmod would fail. The attacker can insert malicious code into /tmp/get_infos_dvd.sh in between the fclose line and the second system line. Use CVE-2014-5255 for this. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT7cM6AAoJEKllVAevmvmsAi4H/3NbVEUpX3DIPvGI/Ac36aOu X0tzmPmJl4ZzpMpPlL6l6ZissTz7tJPaEhEUfxivdETU8TKaPPmt29oQdAaAC9hl sBe728+SIxzIX+7JZOt56NDkjdt0/LI4D+8lY/jNY2oJj4gGtYUr8FoeLsiWbavP QH3yS6+llkzduuU9zExhuobXHt1eokQdF53x1G2EFZYOzDti+eQtCrpZIKWrbrYs GZhfYAzFgN6+ncE1xi8WkZPxGGd1bOKEso2cD1tHkl65rvOiFPk9RolqeDNpAqyi nYW67Ah2a3/XQy4VqJbqS+7ospbTZD6B8AVKTBCvm1oQ4FGdxakJW3Pu3FAKWB0= =BHy4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ