Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 12 Feb 2015 12:27:21 -0500 (EST)
Subject: Re: CVE request: sudo TZ issue

Hash: SHA1

Your February 9 message said "CVE request," your February 11 message
didn't withdraw the request, and you mentioned that 'the promise that
commands be started with a "safe" environment' is an intended property
of sudo. That's sufficient for a CVE; use CVE-2014-9680.

> There are really two issues here: exposure of TZ parsing bugs and
> access to arbitrary (potentially user-controlled) files. I'm happy
> to put the blame for TZ parsing bugs on libc or the application.
> However, there is no real way for the application to tell that it
> is being run by an unprivileged user and that operations that would
> otherwise be safe (opening a user-specified time zone file) may be
> dangerous.

The scope of CVE-2014-9680 is limited to the undesired ability of an
attacker to trigger an open call for a pathname outside the zoneinfo
directory (whether this is done with an absolute pathname or a
relative pathname). The scope of CVE-2014-9680 does not include
blocking other types of invalid or potentially malicious TZ values.
For example:

> It is longer than the value of PATH_MAX.

It seems simple to envision a program for which a length of PATH_MAX-2
triggers a buffer overflow. Even if such a program were known, we
wouldn't want to assign a CVE ID to sudo on the basis that PATH_MAX-2
isn't blocked.


> Procmail is another program that recklessly whitelists TZ

Use CVE-2014-9681 for the similar issue in procmail.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.