Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 11:10:37 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Problems in automatic crash analysis frameworks

On 04/16/2015 10:50 AM, cve-assign@...re.org wrote:
>> IMO two CVEs are required:
> 
>> "Various symlink flaws in abrt" and "Various race conditions in abrt"
> 
> For purposes of CVE, a set of vulnerabilities related to symlink
> following normally isn't assigned two CVE IDs solely because some of
> the symlink attacks depend on a race condition, whereas other symlink
> attacks don't depend on a race condition.
> 
> The specific exploitation scenario disclosed in raceabrt.c is about
> replacing maps with a symlink to /etc/passwd and then waiting for the
> next line of the code to chown /etc/passwd. This requires symlink
> following, and will have the same CVE ID as other issues that require
> symlink following.
> 
> If the only goal of an attacker were to delete the maps file in order
> to cause data loss, then we think that attacker does not need to win a
> race. That attacker can delete the maps file either before or after
> the chown. (It's also conceivable that file deletion, by itself, was
> considered an acceptable risk, and not a valid attack goal.)
> 
> However, the text of
> http://openwall.com/lists/oss-security/2015/04/14/4 said "is
> vulnerable to a filesystem race where a user unlinks the file." That's
> why we asked about the possibility of another scenario in which:
> 
>   1. The ultimate goal is only to unlink the file.
>   2. Achieving this ultimate goal requires winning a race.
> 
> We think there's isn't any such scenario, but we wanted to confirm
> that before doing a CVE mapping. If there isn't any such scenario,
> then the total number of CVE IDs for the whole "Furthermore, Abrt
> suffers" section will be 1.
> 
> 
My previous email, was based on general observation, i really dont have
a preference. Please feel free to assign a CVE, if other issues are
discovered we will let MITRE know.

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ