Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed,  6 May 2015 11:43:03 -0400 (EDT)
From: cve-assign@...re.org
To: misc@...b.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Local privileges escalation in rubygem open-uri-cached

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> open-uri-cached, a rubygem that will cache downloaded data when using
> open-uri, is susceptible to a local attack

It appears that the critical issue you've identified is execution of
code found in an untrusted location under /tmp. Use CVE-2015-3649.

In most cases, this specific class of /tmp misuse issues is unrelated
to Symlink Following. However, when such an issue exists, it is
conceivable that a Symlink Following vulnerability also exists, could
be fixed independently, and would be of interest to an attacker who
has a goal of overwriting a file rather than directly executing code.
The MITRE CVE team has not done any original research to check for a
Symlink Following vulnerability. If a Symlink Following vulnerability
were to exist, it would not be within the scope of CVE-2015-3649.

Also, the message refers to "usage of YAML in a insecure way." We have
not done any original research to determine whether, in a scenario
where the "untrusted location under /tmp" were no longer used, a
YAML-related vulnerability would still be exploitable. If an
independent "YAML misuse" vulnerability were to exist, it would not be
within the scope of CVE-2015-3649.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVSjYYAAoJEKllVAevmvmsBc0H/1rb5MtLd0UXcNc1Ez6dL3dC
tLUB6CrujIs3yp5ynaNsg6b2cmBoF6GxGRTB4ea4Lg9n4Bv/Ovr6u1aRhtx1gz1f
XtlPnlO4nOzC1Kh9aOa33SvxiRqUw+Ch7G4Vi9tAHYxaxBFH9DGhEvYCC3KWQ4Za
dSMirU3CfkNIywwp3xzAAltXy/tg4VXq4tM0x6j9KK2URhaPJuNVcZDsp12OSpDO
umhE3JJY0FL5eY1QD6YjbyrZbDe7HxjxjhpdpPV8Jh1qcdsttiY1vYq/CQWSwmDu
v/4GfZjw7pR3Bh0uBfVgZ2CmmnWNFCgX2ECWH8D6Nyfy2Im5vG16eFE45ANtRkY=
=NJDF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ