Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Oct 2008 16:56:27 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre
 insecure temp file]


On Sat, 4 Oct 2008, Steffen Joeris wrote:

> The CVE ids issued for sabre regarding the insecure use of the tmp file
> are the same. The issue was introduced by a debian patch, but other
> vendors might have possibly patched it the same way. I suggest to mark
> one of them as a duplicate though, because it might be confusing.

We happened to SPLIT on the symlink issue versus the "can't overwrite
/tmp/sabre.log" issue because fixing the symlink does not necessarily fix
the other problem.  Also, if the patch introduced CVE-2008-4407 and others
might have used that patch, these are distinct errors - someone might have
fixed CVE-2008-4406 but not CVE-2008-4407.

Some more explanation is below; let me know if I'm still missing
something.

I've noticed that Debian generally treats multiple different errors as a
more general "insecure file creation" issue.  For CVE, we haven't figured
out how to handle this.

- Steve

======================================================
Name: CVE-2008-4406
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4406
Acknowledged: yes bug-report
Announced: 20081001
Flaw: link
Reference: MLIST:[oss-security] 20081001 CVE id request: sabre
Reference: URL:http://openwall.com/lists/oss-security/2008/10/01/1
Reference: CONFIRM:http://bugs.debian.org/433996

A certain Debian patch to the run scripts for sabre (aka xsabre)
0.2.4b allows local users to delete or overwrite arbitrary files via a
symlink attack on unspecified .tmp files.


Analysis:
WIKI: Message #10 in bug 433996 says "delete" whereas
oss-security/2008/10/01/1 says "overwriting."

WIKI: It is unclear whether ".tmp files" is different from
/tmp/sabre.log.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.


======================================================
Name: CVE-2008-4407
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4407
Acknowledged: unknown
Announced: 20081001
Flaw: other
Reference: MISC:http://bugs.debian.org/433996

XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create
/tmp/sabre.log, which allows local users to cause a denial of service
(application unavailability) by creating a /tmp/sabre.log file that
cannot be overwritten.


Analysis:
INCLUSION: This seems to be a distinct vulnerability, although this
type of vulnerability happens to accompany cases of symlink
vulnerabilities that involve fixed filenames and unprivileged users.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.