Date: Thu, 7 Jan 2016 19:54:24 -0500 (EST) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: netfilter-persistent: (local) information leak due to world-readable rules files -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > iptables-persistent (in Debian) is a loader for netfilter configuration > using a plugin-based architecture. > > iptables-persistent is vulnerable to a (local) information leak due to > world-readable rules files. It was reported in Debian in > > https://bugs.debian.org/764645 > > And fixed via > > https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/commit/?id=37905034f07e94c4298a1762b39b7bbd4063c0df Do you have any further information about why this should be considered a vulnerability in general? We realize that it might, at least, be considered a vulnerability for Debian systems because of "Tags: security" in the original report. For example, is there a specific piece of data in the files that is always supposed to be private? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764645#5 indicates that an unprivileged user can obtain information by directly opening the files, but cannot obtain this information with an "/sbin/iptables -L" command. This does not, by itself, establish that a security feature has been defeated. It is possible that it was simply inconvenient to implement the -L option in a way that provided access to unprivileged users. What we are trying to avoid is a situation in which CVE IDs are assigned solely because a system administrator might not want files to be readable by unprivileged users. For example, maybe someone would prefer stricter /etc/hosts.allow permissions to prevent rogue local users from discovering the names of other hosts that possibly have symmetric "allow" policies. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWjwg3AAoJEL54rhJi8gl5KeEP/jez+zmk3CO4xMx9f5yWwSSR 1NHAQ6YpSOWBrrBz1BKvdVYYkfS+OgjvI7Y7XMTPgXG6QRYrYGVa8QqLkE1TlFUr 7q3pgONQ9+O+B15J8cZNSYXcu8paEi641Jrui25jyltadL++FYblJ0kF7uL9q7fF H/lAsZPKNAID3QBEmhtF7kMrHPmL5+VpWzaxRnnr71nO8v0V5sdUJToXCXI9ZOT8 GQVkAajWcFZX7EqHRchXGGTC2bVXm4UThTLm/HxKTev1rUKt3FbFxJRtLA1KYNBM jO8ZZ+/zJuY1Yn8UsLhPCornccafv1oOqsxSh0WXWDhYpedM9onlqUeZqeTip/yi K6nbK1WgcUD7fKJVRjBgmzJbcIw1WtYk0BQg51nXnURcbztZ1ICQwCtEvHwC4xsP kXBTsXCYHHyzTIPRN2LWWVWzFUMxeDL7PGv8Glf+HGx2OQdycHZlhdKO/eVLy/o0 k/QfcoNxoO4xh42Q9LkyLM/NQ+DNk1bpfMsfOBiFVPdzyzThU5l610EIxVWBumdG DWWefmwjSryUtuTL7PoGkbUvvExCHmpgzoGTcBAiRHwoA+CZDxqZi0epoODGUkTo eUbVFKkepd3hO6Bv3v5O0NLIQ3SCRtUSfp7JTFaWLRfxdlDuod7V4Khxwvwwj6lA QBOU0aocrXDg6aAoneV5 =FspR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.