Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  3 Mar 2015 20:08:28 -0500 (EST)
From: cve-assign@...re.org
To: gmc@...library.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - Evergreen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/

We have these initial questions, in part to determine whether there should
be a total of two CVE IDs or three CVE IDs.

http://openwall.com/lists/oss-security/2015/03/03/11 says:

> Both bugs had permitted remote unauthenticated access of confidential
> application configuration settings.

but https://bugs.launchpad.net/evergreen/+bug/1206589 says:

> Any user who can authenticate to Evergreen and make the proper
> open-ils.pcrud calls can view the history of any setting ... once
> anonymous pcrud goes in, no login would be required either.

Was there a released version of Evergreen in which an unauthenticated
attacker could view a setting's history by exploiting this bug?

https://bugs.launchpad.net/evergreen/+bug/1206589 also says:

> An immediate fix for this would be to add a permission, just about any
> permission that a patron would not have ... The
> collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a
> retrieve permission of STAFF_LOGIN ... That leaves us pretty much
> where the initial bug reports assumes we were with settings exposed
> only to unauthorized staff ... Since I have suggested removing the
> open-ils.pcrud controller, leaving cstore as the only mode of access
> to these settings, new API calls would need to be added to search and
> retrieve the settings history.

and
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063
says:

> Temporary Fix for Org. Unit Settings History Bug
     
>  1. It adds a retrieve permission of STAFF_LOGIN.  This at least
> requires someone with staff permission to be able to view settings
> history.

Does this mean that:

 - in version 2.7.3, there is a major vulnerability in which a
   setting's history can be viewed by any authenticated user,
   including users with the "patron" role

 - in version 2.7.4, there is a minor vulnerability in which a
   setting's history can be viewed by all persons with the staff role,
   which would include unauthorized staff in many realistic
   deployments. This might be fixed in a future release by forcing all
   access to use cstore, or by some other undetermined change.

?

> https://bugs.launchpad.net/evergreen/+bug/1424755

This seems to be a much simpler case that was completely fixed by
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
and had allowed unauthenticated access. It will have only one CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU9lpzAAoJEKllVAevmvmsbdQH/22bw/68/mpyxJ6cOvlw7e1M
QSfNIO+feS9aS9c7k7y2g6yV0KEC7b261gSLQlJFpPVYq7sBh/Y9jLcQhINOWb1j
8m5DP8lqHF4iiCXxxxwJsG5MM2AxvKnk0KXcfGu8qnd6OOmuO4xC+hM5P3XdpRFQ
RJeQU8lSDYHD3yb9D+lfvybr/2ceUVAVTuJCeCLDBj0yr7Gvn3+R0as/mqTt6jyU
EQqciiLFntiucwSOAFQDD0rA0/9JP+ORDC47BcIyDgi0Xca/T+36NbeIsskMXEjO
liBCap+fLIuFWQ0dx5zS+9YQjYwaWyTeaXOFTfjhPUVkgao2CF5aoRSL0qL1zIg=
=3sHe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.