Date: Mon, 8 Sep 2014 22:25:56 +0300 From: Mikko Korpela <mikko.korpela@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Re: Python robotframework - tmp vuln Hi guys, I didn't get what was the security issue. Anyway I removed my little debug/test-program from the submodule so you can relax now. https://github.com/mkorpela/pabot/commit/e8e423dc99094d761ea6944e71bb75eb5c418c8c Please in the future if there are some concerns post them to the issue tracker. Best Regards, Mikko Korpela 2014-09-08 19:21 GMT+03:00 Kurt Seifried <kseifried@...hat.com>: > On 08/09/14 09:22 AM, cve-assign@...re.org wrote: >>> This is the first of many >> >> The MITRE CVE team obviously has no objection to your use of the >> oss-security list for raising new discussion topics such as the >> likelihood that a '../tmp/ substring represents a security problem. >> The comments below are only about obtaining CVE assignments from >> MITRE. >> >>> the reason I'm not assigning CVE's for these is this is a side project >> >> A CVE isn't going to be possible without further analysis explaining >> why a vulnerability exists in the specific case. There can't be an >> expectation that someone at MITRE is already familiar with the >> product, or will read and understand the complete source code as part >> of processing an oss-security message. >> >> Items that seem to be missing from the original message include: >> >> 1, Is the "merge('../tmp/passing.xml', '../tmp/failing.xml')" >> debugging code, or is this code realistically used because a >> different piece of software has created passing.xml and failing.xml >> files? > > It's part of __main__ so it gets executed. > >> 2. If there is a realistic situation in which the >> "merge('../tmp/passing.xml', '../tmp/failing.xml')" executes, would >> the cwd realistically be a first-level directory such as the /root >> or /tmp directory? > > yes if you run from within /root or /tmp, the "run from /root" would be > the obvious worry as it would indicate the root user is being used. > >> 3. For purposes of risk analysis, is unconstrained use of a ../tmp/ >> pathname always equivalent to unconstrained use of a /tmp/ pathname? > > If it ends up using /tmp/ then I would say that's a problem. is it > always a problem? I can't say. > >> A possible CVE assignment decision might be: >> >> A. If a different product came with a test suite containing: >> >> test_program > /tmp/merged.xml >> >> then it could have a CVE because /tmp/merged.xml might be a symlink to >> an important file. >> >> B. If the test suite were changed to: >> >> test_program > ../tmp/merged.xml >> >> with no constraints, then it could still have a CVE, because some >> people run test suites as root with a cwd of the /root directory. >> >> C. If ../tmp/ is used in "debugging code" that is intended to be run >> by a developer who understands the appropriate cwd, and this >> "debugging code" is not a "test suite" for users, then there is no CVE >> assignment. Admittedly, there might be cases where the distinction >> between "debugging code" and "test suite" is completely ambiguous. >> >> > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -- Mikko Korpela
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ