Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon,  6 Oct 2014 02:43:18 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, mbriza@...hat.com
Subject: Re: various sddm vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: mbriza@...hat.com

> Although we don't believe any of the issues you reported could lead to
> a privilege escalation (as some of the resulting bugreports suggest),
> we consider them to be security issues.

> https://github.com/sddm/sddm/pull/279

> https://bugzilla.suse.com/show_bug.cgi?id=897788#c6
> sddm user is not available for choosing in the first place

As far as we can tell, the vendor considers it a vulnerability for
unauthenticated logins as sddm to succeed, so we'll assign
CVE-2014-7271. The conditions under which this can happen are not
clear; maybe one or more of these is true:

  - sddm is a regular user account, not a uid-below-1000 account, on
    some systems because a Linux distribution is allowed to customize
    the sddm account name in its own sddm package

  - sddm is a regular user account, not a uid-below-1000 account, on
    some systems because that username was in use before sddm was
    installed

  - there's a way to choose to login as sddm even if sddm isn't on the
    list of users


> https://bugzilla.suse.com/show_bug.cgi?id=897788#c7
> https://bugzilla.suse.com/show_bug.cgi?id=897788#c8
> https://bugzilla.suse.com/show_bug.cgi?id=897788#c9
> https://github.com/sddm/sddm/pull/280

Apparently the primary problem is unsafe write operations into a
directory that's completely controlled by a unprivileged user. (The
chown is, in some sense, a write operation on security-relevant file
metadata.) Use CVE-2014-7272 for all of these three.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUMjmKAAoJEKllVAevmvmsyBcH/RNiNIUywq9yYODGZ1/2bPWU
acu4SMFvHtZ0eP26c1KYq5R7WJG/3TQwCz9OdA1SjfxcIwnBGNFOd+f85SA95v/t
QVS7kLmGZQ74Z+zd+WQBDd5HNIQRpz3hJM1ppIMDwQY3xgulRN71GUKI/IRNVAL/
cxIxHnhqPWoO7Uc0+3IRZkp7fJ07+NQZreaUMxBZWYe/hE5tJXxhQIM+wuFJ0XEs
DMjs2gRspQQiv2TRQX1S09vg7oVdrgTIkJPJsVPqqzMBjq6mMYIIj/yuKiU8pel+
EMBZtSedbJESOawciOKsrFLJ1ZaYGydOhKFBhu4DHAf1FXl7Ii+h8QDeOOSF+5M=
=GZYa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ