Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Feb 2015 12:27:21 -0500 (EST)
From: cve-assign@...re.org
To: Todd.Miller@...rtesan.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: sudo TZ issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your February 9 message said "CVE request," your February 11 message
didn't withdraw the request, and you mentioned that 'the promise that
commands be started with a "safe" environment' is an intended property
of sudo. That's sufficient for a CVE; use CVE-2014-9680.

> There are really two issues here: exposure of TZ parsing bugs and
> access to arbitrary (potentially user-controlled) files. I'm happy
> to put the blame for TZ parsing bugs on libc or the application.
> However, there is no real way for the application to tell that it
> is being run by an unprivileged user and that operations that would
> otherwise be safe (opening a user-specified time zone file) may be
> dangerous.

The scope of CVE-2014-9680 is limited to the undesired ability of an
attacker to trigger an open call for a pathname outside the zoneinfo
directory (whether this is done with an absolute pathname or a
relative pathname). The scope of CVE-2014-9680 does not include
blocking other types of invalid or potentially malicious TZ values.
For example:

> It is longer than the value of PATH_MAX.

It seems simple to envision a program for which a length of PATH_MAX-2
triggers a buffer overflow. Even if such a program were known, we
wouldn't want to assign a CVE ID to sudo on the basis that PATH_MAX-2
isn't blocked.

> http://openwall.com/lists/oss-security/2014/10/15/24

> Procmail is another program that recklessly whitelists TZ

Use CVE-2014-9681 for the similar issue in procmail.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU3OIQAAoJEKllVAevmvms/M0H+QGrI9RHIuVe3o1srcyy7fSx
qKl/T8hMjXLp5dliRa2MlTCHFqzpzuT/v+xeAk7u7HIRTyfo8eKqO5PJZANCTG3m
0dlBICOjLx3ne3QyP+2DSJM+iSh0Z5Qz2vpUKz05Ry0jSzEY/cF/t7NBPEo0f0pw
CDMK/BxMVbhYHZnRs4MmCU0hPG2w0q/aa4I45rVJilB3z+sF1IDClw/uJWu3ZAMi
ysAb278nfhMVzAklvzdwb2jpjk41orPPXY6XRGL2lsIEbZ+CFDPJs6mEW8q1oYxJ
BE3nxsblJ543Y2KGkGVXXxg485H4FBhMkBL/znFmzPkHUKeTh3wl271d3krpbJU=
=bEKj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.