Date: Fri, 23 May 2014 14:21:19 -0400 (EDT) From: cve-assign@...re.org To: zanchey@....gu.uwa.edu.au Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Upcoming security release of fish 2.1.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://openwall.com/lists/oss-security/2014/05/06/3 > First, we should mention that a single CVE ID cannot be used for a set > of related issues that have different affected versions. For the > earlier message that mentioned CVE-2014-2906 and CVE-2014-2914, > approximately two more CVE IDs will be needed. We will send those > later. >> CVE-2014-2906: fish temporary file creation vulnerable to race condition >> leading to privilege escalation >> >> Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files, >> allowing privilege escalation to those of any user running fish, including >> root. >> >> Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive), >> fish will read data using the psub function from these temporary files, >> meaning that the input of commands used with the psub function is under the >> control of the attacker. This actually needs two CVE IDs because there are two affected functions, with different sets of affected versions. (For example, there is a psub vulnerability in version 1.22.0, but there is no funced vulnerability in 1.22.0 because funced didn't yet exist.) For the psub vulnerability, please continue to use CVE-2014-2906. For the funced vulnerability, please use CVE-2014-3856. >> fish version 2.1.1 restricts incoming connections to localhost only. At this >> stage, users should avoid running fish_config on systems where there are >> untrusted local users, as they are still able to connect to the fish_config >> service and elevate their privileges to those of the user running >> fish_config. At present, we're not assigning an additional CVE ID for this "local users ... elevate their privileges" issue. Our interpretation is that you're not trying to make an announcement that 2.1.1 is a vulnerable version. Instead, you're trying to document the machine environment on which fish_config in 2.1.1 can be safely used (i.e., machines with untrusted local users are not fully supported for fish_config at the moment). If you actually wanted a CVE ID for versions 2.1.1 and earlier, referring to the fish_config attack by local users, please let us know. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTf5E1AAoJEKllVAevmvmsNNgH/RtEQqNw/fO8nSASDKJpOUpM WAcq4mfHZ6nYfg2RkTSM++LSRQ0WRozU4/qzgXDwPDkE3mW7Dg2Y3Vjjse2eQUkg rqGkJ7L6RoIpciixXqRMtYx8M9GWBKJWjkye7jcmrqoDGhXOP4rxfeHQanlzGsr4 UyefbVhX7AtwTYvm+5yzuCsNDzC/Enc2VtZmbIaq1/V6dlJD0dy4VaxPERL+4juP jXSMajJ8+v4IOTrbcvWSYkGUSrH0D2jCAba7nLF+jT55vfpQRPI0lmi67/BVbfBD hN3Tu8cviJv1XSNzGZc71XlwZm3qe10tO0oFmh4KgFxe/Tu+tnQIGnADPqEW4n0= =hj0E -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.