Date: Thu, 19 Jul 2012 17:37:13 -0400 (EDT) From: cve-assign@...re.org To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE-2012-4024 and CVE-2012-4025: Squashfs overflows -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4024 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025 We wanted to mention these two recent open-source CVEs here because the upstream vendor expressed a position that the issues don't qualify for CVE inclusion, and indicated that he often uses CVE in his work on code unrelated to Squashfs. This post isn't meant to suggest any level of urgency for Linux distributions to produce new Squashfs packages. It's conceivable that actual exploitation of these vulnerabilities will never occur anywhere. Although Squashfs is a Linux filesystem, these two CVEs are about a utility program that is, in some ways, similar to tar or other archive programs. In general, if an archive file might be obtained from an untrusted remote source, and crafted data within the archive file potentially leads to arbitrary code execution during extraction, the issue can be included in CVE. There are many CVEs in this category (e.g., see CVE-2011-1777 and CVE-2011-1778 in RHSA-2011:1507-1). CVE-2012-4025 also fits into this category. CVE-2012-4024 is different because the crafted data isn't in the archive file. Specifically, the crafted data must be in a list file that's similar to the list file used with the "tar -T" option. One threat model is that an attacker announces 'We have created an example of our project as a squashfs filesystem. The downloadable files are myproject.sqsh and myproject.list. If you only want the source code, you can extract it by running the "unsquashfs myproject.sqsh -ef myproject.list" command.' If myproject.list is long enough (e.g., thousands of lines with reasonable source-code filenames and one line with exploit code), probably most people wouldn't notice that the file isn't legitimate. Some similar issues involving archive programs don't qualify for CVE inclusion because there is no plausible threat model. Ones that are proposed occasionally include situations where a crafted filename must be entered on the command line, and situations where the victim must use a crafted configuration file. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/obtain_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (SunOS) iQEcBAEBAgAGBQJQCHqAAAoJEGvefgSNfHMdSTMH/Rp4tQhLhY9SB1kE/DiAH7VF gDV+uIoAx9G4GQwmA9tYTErKzXjsnob9A5WRQhSrbFdpNEkwOWZkvXWrN/Q42gj3 Ac9ga+JkHrd/IdOINhvV1w3dzX8w9MyjZlHBE1Zs6tcb9IExu667a1WiBqAFjpKO XnMHFOT5Qi5zFsA2N39hnpLiekQ5gtY+HZ0gCN0IIefEXIm4SHdbVYhBqY12b8Lq g4C2USDattV3SrFbVGOAlYUxBjX7ki7qrggnUGCNRefHKYHh0xKepS5KayRQQc4h tISphBcubCCdQVBlR7kgaJEugIWQc8p1iPebd473fo/cNFjDvM0QQ3SlqZN8xb8= =Ov+l -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.