Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 3 Feb 2014 15:28:24 -0500 (EST)
From: cve-assign@...re.org
To: mcarpenter@...e.fr
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: enlightenment sysactions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Red Hat Security suggested I request a CVE here since this potentially
> effects multiple distros/maintainers.

> https://bugzilla.redhat.com/show_bug.cgi?id=1059410

> These aren't security flaws, precisely, due to some of the other
> defaults that Fedora has that other distros/vendors may not, but
> upstream recently did some hardening to the defaults they provide (and
> we don't change) based on Martin Carpenter's report.

No one from another distribution responded with specific details that were
different from this "aren't security flaws, precisely" statement.
So, we will make the CVE assignments on the basis of the original report.

> The Enlightenment window manager (enlightenment.org) was found to ship
> with (a) a setuid root helper that did not effectively sanitize its
> environment and (b) a weak default configuration. Users in select
> groups could exploit this to execute arbitrary programs as root.

> add more environment variables to nuke and add alternate envrionment
> nuke method to raise security level.

>  1. clear out environment as best is possible before executing
>     anything. especially PATH and IFS are set to minimal base defaults.
>     also use clearenv() if available and unsetenv()

Use CVE-2014-1845 for this issue in which the environment isn't
properly restricted.


> 2. remove gdb method as it's just too dangerous. run it as normal as
>    the user and if the kernel / distro dny that - then sorry. too bad.

Use CVE-2014-1846 for this issue in which gdb is available unsafely in
the unpatched codebase.


In this interpretation, "and (b) a weak default configuration. Users
in select groups could exploit this to execute arbitrary programs as
root" means that at least one not-equivalent-to-root user is able to
execute the helper program. In other words, it is not an independent
vulnerability.

A specific Linux distribution might, for example, have an
implementation error in determining who is allowed to execute the
helper program. If anything like that is reported, additional CVE
assignments would be possible.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS7/sjAAoJEKllVAevmvmsEo4H/3HyolVbgVNo1tMqauZkBaNB
lEusuivKLl1J0gn5dpWpFIur1DmQIyceg1cyCghW0IWzJRCK2y4a1OSQw3syQUie
HUY3iHgeogwYBKwFAZfB9+Z+uIN4rgqOFIJJksQEh/02g//f7scVIuG+dY7/eW3T
ZjyaFZzt/UeleHJXD9bXTFSHe0YkEuyGCGSrXptW+q9qZaNSfHZlJ1umH9VWMNN/
sAr4HFQ8n1Dk+fzdYlIL1UpSFaAYq41bm0dzBJr4RNL9VO9xc8mNvwCvmBFtUvMu
qKQ+XbxGl+8gvslLQHC1GV/YbuhzdLOj7yMAvr2aqagmHHiFbK4+tYmqlIn1BKY=
=Ft+z
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.