Date: Mon, 6 Oct 2014 02:43:18 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, mbriza@...hat.com Subject: Re: various sddm vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: mbriza@...hat.com > Although we don't believe any of the issues you reported could lead to > a privilege escalation (as some of the resulting bugreports suggest), > we consider them to be security issues. > https://github.com/sddm/sddm/pull/279 > https://bugzilla.suse.com/show_bug.cgi?id=897788#c6 > sddm user is not available for choosing in the first place As far as we can tell, the vendor considers it a vulnerability for unauthenticated logins as sddm to succeed, so we'll assign CVE-2014-7271. The conditions under which this can happen are not clear; maybe one or more of these is true: - sddm is a regular user account, not a uid-below-1000 account, on some systems because a Linux distribution is allowed to customize the sddm account name in its own sddm package - sddm is a regular user account, not a uid-below-1000 account, on some systems because that username was in use before sddm was installed - there's a way to choose to login as sddm even if sddm isn't on the list of users > https://bugzilla.suse.com/show_bug.cgi?id=897788#c7 > https://bugzilla.suse.com/show_bug.cgi?id=897788#c8 > https://bugzilla.suse.com/show_bug.cgi?id=897788#c9 > https://github.com/sddm/sddm/pull/280 Apparently the primary problem is unsafe write operations into a directory that's completely controlled by a unprivileged user. (The chown is, in some sense, a write operation on security-relevant file metadata.) Use CVE-2014-7272 for all of these three. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUMjmKAAoJEKllVAevmvmsyBcH/RNiNIUywq9yYODGZ1/2bPWU acu4SMFvHtZ0eP26c1KYq5R7WJG/3TQwCz9OdA1SjfxcIwnBGNFOd+f85SA95v/t QVS7kLmGZQ74Z+zd+WQBDd5HNIQRpz3hJM1ppIMDwQY3xgulRN71GUKI/IRNVAL/ cxIxHnhqPWoO7Uc0+3IRZkp7fJ07+NQZreaUMxBZWYe/hE5tJXxhQIM+wuFJ0XEs DMjs2gRspQQiv2TRQX1S09vg7oVdrgTIkJPJsVPqqzMBjq6mMYIIj/yuKiU8pel+ EMBZtSedbJESOawciOKsrFLJ1ZaYGydOhKFBhu4DHAf1FXl7Ii+h8QDeOOSF+5M= =GZYa -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ