Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon,  8 Sep 2014 18:45:05 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Python robotframework - tmp vuln

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> 1, Is the "merge('../tmp/passing.xml', '../tmp/failing.xml')"
>>    debugging code, or is this code realistically used because a
>>    different piece of software has created passing.xml and failing.xml
>>    files?

> It's part of __main__ so it gets executed.

This doesn't really answer the question. In
e8e423dc99094d761ea6944e71bb75eb5c418c8c, the upstream vendor says
it's debug code. Also, note that result_merger.py is distributed with
0644 permissions. As far as we can tell, the
"merge('../tmp/passing.xml', '../tmp/failing.xml')" is executed (in
the potentially unsafe way) only if a user explicitly runs a command
such as:

  python full_pathname/result_merger.py

Otherwise, "__name__ == '__main__'" would be false.

There's apparently no motivation for an end user to enter this python
command in order to execute debug code that was meaningful only to the
developer.

To have a CVE for an issue involving a symlink attack, what we
typically look for is a case in which code is executed during normal
use of a product. In interpreting "normal use" situations, we think
it's reasonable to exclude a user's decision to locate random 0644
files and launch them in isolation with a script interpreter. The 0644
permissions are, at least in some cases, a signal that the file was
not intended to be executed in isolation. Products do not, in general,
come with security expectations that running a 0644 file directly is
safe (unless running the 0644 file is encouraged by the
documentation). There doesn't seem to be a good argument for a CVE
assignment regardless of the vendor's decision to delete the debug
code.

Possibly an example with sh would be simpler:

  % ls -ld /var/productdir/tmp
  drwxr-xr-x ...
  % cat /usr/bin/script1.sh
  #!/bin/sh
  export MYDIR=/var/productdir
  /bin/sh /usr/lib/product-1.0/files/script2.sh
  % cat /usr/lib/product-1.0/files/script2.sh
  echo test > $MYDIR/tmp/file.txt
  % ls -l /usr/bin/script1.sh
  -rwxr-xr-x ...
  % ls -l /usr/lib/product-1.0/files/script2.sh
  -rw-r--r-- ...

Here, there could be a symlink attack if script2.sh is used in
isolation. However, it seems best not to categorize script2.sh as
having an "unsafe use of /tmp" or "symlink attack" vulnerability. For
an arbitrary script2.sh file in an analogous situation, we'd typically
want to see the following before assigning a CVE ID:

  - documentation telling a user to run
    "sh /usr/lib/product-1.0/files/script2.sh"

or

  - executable permissions (such as 0755) for script2.sh along with
    (probably) a reason to expect that it would actually be run,
    such as any of these:

       - the location of script2.sh would realistically be added
         to a user's path

       - documentation of the purpose of script2.sh, when run in
         isolation, exists

       - by reading the script2.sh code, a user could notice that
         it accomplishes something useful in isolation

       - the actual filename suggests that the code accomplishes
         something useful in isolation

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUDjDEAAoJEKllVAevmvmsGagIALXkDmmPDZyaOpi4TUjKmyfI
oqaRfHRdp1UIsCKIscA3G2fSOs4IoulCn8XL03Gq3/mF4WstKCBbpTfRV+Tj0Wxj
TlT5tG4pdYnqCTwIhDOElHme4HqvOnR8ID2wZg4gIDNdS6RMNcVBjEgVjGdyOcP8
19GIT/e4avvN5NaugyJWi4paKkjfDDvsoXiHFQvYSR11/lBO6mYJKS+r13x55b2l
aM/53LIi7vGwI3Y/UgX5KClPRkAxnjBvkkzUJ8SJRM30tlUy6DoxlXyCX7hvz3Oj
vO94HlWdS/2cJeLeyTxZeT4fG92pscFcCTIXZsqTAagWNe8FC0JUzvNfpYsP20A=
=Rcqe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.