Date: Fri, 1 Jul 2016 19:46:27 +0200 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: SQLite Tempdir Selection Vulnerability Posted on FD: > KL-001-2016-003 : SQLite Tempdir Selection Vulnerability > > Title: SQLite Tempdir Selection Vulnerability > Advisory ID: KL-001-2016-003 > Publication Date: 2016.07.01 > Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt > > > 1. Vulnerability Details > > Affected Vendor: SQLite/Hwaci > Affected Product: SQLite > Affected Version: All versions prior to 3.13.0 > Platform: UNIX, GNU/Linux > CWE Classification: CWE-379: Creation of Temporary File in Directory > with Incorrect Permissions > Impact: Data Leakage > Attack vector: Local Release notes say: > Change the temporary directory search algorithm > <http://www.sqlite.org/tempfiles.html#tempdir> on Unix to allow > directories with write and execute permission, but without read > permission, to serve as temporary directories. Apply this same > standard to the "." fallback directory. The covering commits seem to be: http://www.sqlite.org/cgi/src/info/67985761aa93fb61 Change the temporary directory search algorithm on unix so that directories with only -wx permission are allowed. And do not allow "." to be returned if it lacks -wx permission. http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 Fix the fix to the temporary directory search algorithm so that it continues to return "." as a fallback if that directory has the correct permissions. http://www.sqlite.org/cgi/src/info/614bb709d34e1148 Fix the temporary directory search algorithm for unix so that it fails gracefully even if all candidate directories are inaccessible. This fixes a bug that was introduced by check-in [9b8fec60d8e]. Can a CVE please be assigned for this issue? Thanks, Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ