Date: Thu, 21 Apr 2016 13:02:16 -0400 (EDT) From: cve-assign@...re.org To: stefan.kanthak@...go.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: GnuPG classic & GnuPG modern -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Loading of multiple Windows system DLLs from the installers application > directory instead of Windows' system directory, a.k.a. DLL hijacking. Before proceeding with CVE ID assignment, we have some questions. We understand from your many reports of issues in other products that there is a realistic attack scenario in which a Trojan horse uxtheme.dll might already be present in the user's Downloads directory before the user downloads/launches a GnuPG installer file (such as gnupg-w32cli-1.4.20.exe or gnupg-w32-2.1.11_20160209.exe from the https://gnupg.org/ftp/gcrypt/binary web site). 1. Is this a vulnerability in code that was developed specifically for GnuPG, or is it a vulnerability in a third-party product that was used to create the GnuPG executable installer files? 2. You refer to "the installers application directory" - this is terminology that you have used in other reports about other products. Can you confirm that this commonly means a Downloads directory or %TEMP% -- and does not mean the %PROGRAMFILES%\GNU\GnuPG directory? In other words, "installers application directory" seems potentially ambiguous because %PROGRAMFILES%\GNU\GnuPG is the default application directory that is created by the installer. 3. Would it be better to consider this a vulnerability in any web browser, or other HTTP client, that defaults to saving all downloaded executable files and DLL files into a single Downloads directory? At least on Windows, if the user has chosen to download a .exe file, perhaps the default behavior should make that .exe file the only file in a directory, and that directory should be created in a safe location and with safe permissions. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXGQbdAAoJEHb/MwWLVhi2YK4P/jTK4C1dBDwE5qDRkEj/e6ut +JdnmZ/984MMawaH6uzjCJcIEWYmGtYslwHjd2HwFQxbGriYH4pMWIwqX1dAght+ VUJh/FOiOnMP6YrBEGtH4/q1r0ym5kWERaJv3ACu7/eaihqPJOrRnBlk9NfQfnbl iGt7vmivC9CrHB0YQaECV9JHYQDq9ka1X6XRkEyJBUt7J1+hQHScjzRoqod0hL1H Mvix96bFJAZJzM79A8IxJXOHVB6OiUTtkpcHdWtluLpXaT3H/PqpyL2tIriiv7YW VFqsLt6iXJrwJ8ZlTogqcOphinZhG/M1B3Htqe/5QOLqOzD7KDEoJ82kpj2pQCJU NDrsxiAf7gM8E9RDRVjzN/+fcdA4I+J8/jmdjJyc4uYI/xu44lcwKp2QHLThwKpP n5Ge7/jYH2krXp7iwwxkQMm6OOFW16BBFpA2myZkknCvxeiUbEsU8ul6JHxxCiil KtsOIE6oTpvjen1JqB5fXXzzf3W0dQB9AwtNxz5k9go1z+msASF5Ym5xgyh+Sc0L jilKt37HkMOYU0bOGN+FiWOvSzYCtIxRTOoEmaxxKZZxWnslALeRJfYqtm5p3Cq5 UgvEX96p2HekPnjljwakSE/U9Yuc42lROfQQNM8aZo+fKwIqpIPAT9ipWW0P1Dy0 z+gfciVkcWm70hXJvrVE =C6gY -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ