Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 11 Sep 2014 20:31:39 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: vos tmp vuln

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> vos-1.10.4/vos/md5_cache.py
>    def __init__(self, cache_db="/tmp/#vos_cached.db#"):

Nothing in your message shows that the MD5_Cache class is ever used
with that /tmp pathname. Also, your message doesn't show whether or
not the ultimate open call for that pathname uses O_EXCL|O_CREAT. The
following might possibly be relevant to this missing information:

  - the "md5Cache = md5_cache.MD5_Cache()" line in scripts/vsync

  - https://github.com/python/cpython/blob/master/Modules/_sqlite/connection.c

Those two items may be enough to show that a symlink attack can occur,
but we'll let you fill in the details.

For CVE assignments, it's not enough to show that the code contains a
/tmp pathname that is apparently used for write access. In a typical
case, it's also necessary to show that the piece of code is actually
executed during use of the product, the /tmp pathname is actually
used, and the specific open operation is unsafe in the presence of a
symlink. All of this can be straightforward for a self-contained sh or
possibly Perl script, but is often much less straightforward for
Python.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUEj37AAoJEKllVAevmvmsqMsH/iOBf4ACYyNyc97bTf0upT+s
V5KYwtG8UpXk7rwwbiELUFt3N7Y07NBbKDwnvKCRnZflRytCEdn1S9qrsQ5pOO/p
VDJlX9xFEjqJhYjRpqcXT81p2OaHiv3s0sdfHhPdcubXDuax+EqNgRVmOPmxSQo3
0x4/dK7ZDPXhF16oZXy/K7ETsrBoxztVRv1D13V+fI81ghJe9JYcKdlQX3j911U2
5rnepL3WxNHQu0KhGvMEIsLkfR5X0eM6JGrXFXYxOJ7sZd3ba0cmjgLzJsDnTvxW
TF9yNFok0CkQEAt4m0FD8ioRKLE8ep0giKZd1aix6twGpgkapgmoTEFKRV0lmrQ=
=+bTm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ