Date: Wed, 7 May 2014 23:29:13 -0400 (EDT) From: cve-assign@...re.org To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: local privilege escalation due to capng_lock as used in seunshare -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We think there should be a CVE ID for the combination of these two observations: 1. seunshare is intended to be setuid root (see the http://userspace.selinuxproject.org/trac/browser/policycoreutils/sandbox/Makefile file) 2. dropping privileges no longer makes the traditional change to the saved set-user-ID, as shown by the getresuid example in the http://openwall.com/lists/oss-security/2014/04/30/4 post Use CVE-2014-3215. This message obviously isn't intended to contribute to the technical discussion of how the design of seunshare and other software led to this state. Also, nobody has sent MITRE's cve-assign team a PoC in which running seunshare contributes to a privilege escalation. CVE-2014-3215 might be considered an "exposure." Essentially, running seunshare is a way to bypass a potentially important protection mechanism, and that wasn't a documented effect of installing seunshare. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTaviCAAoJEKllVAevmvmsfkQH/21wa2jxXCFiCe8YorCTcQuk XmoAgLF4bBNpP8ws8gtdHBWt5mQdo51+pZ9xAWc0og2+cqPCQZTnndookDKkbMSM TMeI23USLjEqMLnBYBAy5WDwyFcCToBBiCDXpO6KGdLBwJ6A9EudJkUcU2R63jD5 wT84zak6hiGYJGnRxTlKxboMzVIFXlnWmYxm+cA7B9iGBV8bAZU/xOi9z0C2a13h ZZYitwxwMvtpcQJZtf6iSxix4lH1RIeJmbFY5X8CTgQzpVEjCaW3GH/vpTX5ZpcJ K2pxzuVIUhbxVapPmy4mYnhus78WVwOveydO7jdEk9yh9wnUZUte4ihizxJsxZU= =P4Px -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.