Date: Thu, 16 Apr 2015 11:10:37 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: Problems in automatic crash analysis frameworks On 04/16/2015 10:50 AM, cve-assign@...re.org wrote: >> IMO two CVEs are required: > >> "Various symlink flaws in abrt" and "Various race conditions in abrt" > > For purposes of CVE, a set of vulnerabilities related to symlink > following normally isn't assigned two CVE IDs solely because some of > the symlink attacks depend on a race condition, whereas other symlink > attacks don't depend on a race condition. > > The specific exploitation scenario disclosed in raceabrt.c is about > replacing maps with a symlink to /etc/passwd and then waiting for the > next line of the code to chown /etc/passwd. This requires symlink > following, and will have the same CVE ID as other issues that require > symlink following. > > If the only goal of an attacker were to delete the maps file in order > to cause data loss, then we think that attacker does not need to win a > race. That attacker can delete the maps file either before or after > the chown. (It's also conceivable that file deletion, by itself, was > considered an acceptable risk, and not a valid attack goal.) > > However, the text of > http://openwall.com/lists/oss-security/2015/04/14/4 said "is > vulnerable to a filesystem race where a user unlinks the file." That's > why we asked about the possibility of another scenario in which: > > 1. The ultimate goal is only to unlink the file. > 2. Achieving this ultimate goal requires winning a race. > > We think there's isn't any such scenario, but we wanted to confirm > that before doing a CVE mapping. If there isn't any such scenario, > then the total number of CVE IDs for the whole "Furthermore, Abrt > suffers" section will be 1. > > My previous email, was based on general observation, i really dont have a preference. Please feel free to assign a CVE, if other issues are discovered we will let MITRE know. -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ