Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 11:10:37 +0530
From: Huzaifa Sidhpurwala <>
Subject: Re: Re: Problems in automatic crash analysis frameworks

On 04/16/2015 10:50 AM, wrote:
>> IMO two CVEs are required:
>> "Various symlink flaws in abrt" and "Various race conditions in abrt"
> For purposes of CVE, a set of vulnerabilities related to symlink
> following normally isn't assigned two CVE IDs solely because some of
> the symlink attacks depend on a race condition, whereas other symlink
> attacks don't depend on a race condition.
> The specific exploitation scenario disclosed in raceabrt.c is about
> replacing maps with a symlink to /etc/passwd and then waiting for the
> next line of the code to chown /etc/passwd. This requires symlink
> following, and will have the same CVE ID as other issues that require
> symlink following.
> If the only goal of an attacker were to delete the maps file in order
> to cause data loss, then we think that attacker does not need to win a
> race. That attacker can delete the maps file either before or after
> the chown. (It's also conceivable that file deletion, by itself, was
> considered an acceptable risk, and not a valid attack goal.)
> However, the text of
> said "is
> vulnerable to a filesystem race where a user unlinks the file." That's
> why we asked about the possibility of another scenario in which:
>   1. The ultimate goal is only to unlink the file.
>   2. Achieving this ultimate goal requires winning a race.
> We think there's isn't any such scenario, but we wanted to confirm
> that before doing a CVE mapping. If there isn't any such scenario,
> then the total number of CVE IDs for the whole "Furthermore, Abrt
> suffers" section will be 1.
My previous email, was based on general observation, i really dont have
a preference. Please feel free to assign a CVE, if other issues are
discovered we will let MITRE know.

Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ