Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 00:44:38 -0400 (EDT)
Subject: Re: TMP flaw in rackspace jclouds?

Hash: SHA1

>             .add(exec("mkdir /tmp/$$"))
>             .add(extractTargzIntoDirectory(tgz, "/tmp/$$"))
>             .add(exec("mkdir -p " + dest))
>             .add(exec("mv /tmp/$$/*/* " + dest))
>             .add(exec("rm -rf /tmp/$$")).build());

Use CVE-2014-4651 for this vulnerability in

Here are additional comments. A quick summary is that more CVEs might
be required because of different discoverers (apparently one other
person/organization made discoveries about five additional files) or
different flaw types.

1. This is a somewhat unusual case for CVE. Apparently, the issue
isn't that has a Symlink Following vulnerability; it's
that generates code that has a Symlink Following
vulnerability. Also, the generated code is never executed on a machine
that executes, so there's no
confidentiality/integrity/availability impact to that machine.
However, similar scenarios have qualified for CVE IDs. Possibly the
most similar scenario is toolkits for building web applications, in
which every generated application has an XSS vulnerability.

2. The general concepts of "generates code with flaw X" and "contains
code with flaw X" would probably not be combined into one CVE, but we
didn't immediately see any of the latter fixed in the

3. We didn't immediately figure out whether any of the patched files
with names containing "test" or "Test" are part of the installed
product, or are only used during development.

4. Possibly, some of the code runs early in the process of setting up
a new virtual machine, e.g., contains an
"exec 3<> /etc/ssh/sshd_config" line that might be the initial
configuration of an sshd_config file. The details of this specific
file are not especially relevant. The point is that, if anyone finds a
situation where code with a Symlink Following vulnerability executes
only during machine provisioning, before any untrusted person is able
to login to an unprivileged account, then that Symlink Following
vulnerability is unexploitable and shouldn't have a CVE ID assigned.

5. We don't really understand why this product is retrieving .tgz
files from http URLs with curl, extracting the archives, apparently
not attempting to verify file integrity, and executing files. Possibly
this is considered relatively safe because the code would normally be
executed within a data center of a professional cloud-services
provider, and man-in-the-middle attacks would be relatively difficult
compared to, say, attacks against http download/extract/execute by a
client on a Wi-Fi network. But, we're not really sure. For example,
have an implied security policy that the sequence of steps from "GET" to
"ruby setup.rb" is "safe enough" against man-in-the-middle?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.