Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 04:24:43 -0400 (EDT)
Subject: Re: CVE request: xcfa: Insecure use of temporary files, subject to race conditions

Hash: SHA1


As mentioned in the post, the Symlink
Following composite is treated as somewhat of a special case in CVE.
This doesn't, for example, mean that all problematic uses of files in
/tmp are always covered by a single CVE ID.

>> rm /tmp/index.html

>> any existing file called /tmp/index.html will be removed regardless

This may be an issue that is typically treated as a usability problem
(or maybe a documentation problem), not a security problem. The rm
program should remove /tmp/index.html - it should not remove the
target of a /tmp/index.html symlink. (If there is a race condition
within an implementation of rm, that would not be an xcfa

Ideally, xcfa would not remove /tmp/index.html because /tmp/index.html
might be an important file unrelated to xcfa. However, there doesn't
seem to be a way to design an "attack" in the traditional sense, and
/tmp/index.html isn't a filename that would be important in typical
cases. For example, if I have a critical file named file.txt~ and a
less important file named file.txt, and I decide to modify file.txt
with emacs, then file.txt~ is overwritten with no warning. This is
typically not considered an emacs vulnerability. covers a number of Symlink Following
issues that allow overwriting files. Use CVE-2014-5254 for all of

>>         fp = fopen ("/tmp/", "w");
>>         fprintf (fp, "#!/bin/sh\n");

>>         fclose (fp);
>>         system ("chmod +x /tmp/");
>>         system ("/tmp/");

This one doesn't seem to be necessarily a Symlink Following issue. At
the instant of the fopen, /tmp/ might be a plain file
(not a symlink), owned by the attacker but with 0777 permissions. The
fopen/fprintf/fclose would succeed, and the chmod would fail. The
attacker can insert malicious code into /tmp/ in
between the fclose line and the second system line. Use CVE-2014-5255
for this.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.