Date: Thu, 16 Apr 2015 09:52:20 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: Problems in automatic crash analysis frameworks On 04/16/2015 09:34 AM, cve-assign@...re.org wrote: > As far as we can tell, the other issues in the "Furthermore, Abrt > suffers" section of > http://openwall.com/lists/oss-security/2015/04/14/4 are about an > attacker who must create a symlink as part of an attack with a goal of > making the collected crash data include unintended (and possibly > private) information. We currently think that a single CVE ID can be > used for all of them. > > IMO two CVEs are required: "Various symlink flaws in abrt" and "Various race conditions in abrt" I am not sure if the exploit used one or both of these issues to achieve privesc, but both of these issues exists, are security flaws and may have varied impact. (Maybe not easy to exploit?) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.