Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 3 Feb 2014 15:28:24 -0500 (EST)
Subject: Re: CVE request: enlightenment sysactions

Hash: SHA1

> Red Hat Security suggested I request a CVE here since this potentially
> effects multiple distros/maintainers.


> These aren't security flaws, precisely, due to some of the other
> defaults that Fedora has that other distros/vendors may not, but
> upstream recently did some hardening to the defaults they provide (and
> we don't change) based on Martin Carpenter's report.

No one from another distribution responded with specific details that were
different from this "aren't security flaws, precisely" statement.
So, we will make the CVE assignments on the basis of the original report.

> The Enlightenment window manager ( was found to ship
> with (a) a setuid root helper that did not effectively sanitize its
> environment and (b) a weak default configuration. Users in select
> groups could exploit this to execute arbitrary programs as root.

> add more environment variables to nuke and add alternate envrionment
> nuke method to raise security level.

>  1. clear out environment as best is possible before executing
>     anything. especially PATH and IFS are set to minimal base defaults.
>     also use clearenv() if available and unsetenv()

Use CVE-2014-1845 for this issue in which the environment isn't
properly restricted.

> 2. remove gdb method as it's just too dangerous. run it as normal as
>    the user and if the kernel / distro dny that - then sorry. too bad.

Use CVE-2014-1846 for this issue in which gdb is available unsafely in
the unpatched codebase.

In this interpretation, "and (b) a weak default configuration. Users
in select groups could exploit this to execute arbitrary programs as
root" means that at least one not-equivalent-to-root user is able to
execute the helper program. In other words, it is not an independent

A specific Linux distribution might, for example, have an
implementation error in determining who is allowed to execute the
helper program. If anything like that is reported, additional CVE
assignments would be possible.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.