Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 21:51:10 -0500 (EST)
Subject: Re: CVE assignment request for security bugs fixed in glibc 2.23

Hash: SHA256

The MITRE CVE team generally can assign IDs for security-fix releases
of products where a notable upstream vendor has already made a final
determination of what issues are, from their perspective,
vulnerabilities that require customers to perform a product update.
This is, to some extent, independent of what our perspective otherwise
would have been.

Based on the set of issues mentioned, however, we probably don't have
a shared understanding of what glibc bugs should be considered
vulnerabilities and what ones should be considered ordinary bugs. This
doesn't mean that there ought to be a decision process that is
specific to glibc alone: there are people sending CVE ID requests to
MITRE for other libraries, including similarly general-purpose

Possibly part of the glibc vulnerability model is that memory-safety
issues should be considered vulnerabilities, regardless of how
unlikely it is for an attack to cross a privilege boundary. Similarly,
possibly part of the model is that issues in which glibc simply
provides the wrong answer are not vulnerabilities, regardless of
whether there's a plausible scenario in which the wrong answer leads
to a catastrophic security failure. If there should be some CVE IDs
for wrong-answer issues, we don't know the best way to subdivide the
space of wrong answers, e.g., wrong results in floating-point math are
perhaps attackable less often than wrong results in string operations.
None of this is going to be resolved today, so here are the five CVE
IDs for the listed issues.

> Passing out of range data to strftime() causes a segfault
> Out-of-range time values passed to the strftime function may cause it to
> crash, leading to a denial of service, or potentially disclosure
> information.

Use CVE-2015-8776. We don't happen to know of any cases in which a
reasonable application would, for example, allow a user to enter an
integer value that refers to the 13th month in a way that crosses a
privilege boundary. The glibc change might suggest that that
application should be happy with output of the form "19 ? 2016" (the
19th day of an unknown month in 2016). We feel that there's a
(probably weak) argument that this is a defense-in-depth change to
glibc, not a vulnerability fix, because there's no universally
understood way for glibc to inform an arbitrary application that it
has elected to produce a malformed, but memory-safe, result.

> LD_POINTER_GUARD is not ignored for privileged binaries
> LD_POINTER_GUARD was an environment variable which controls
> security-related behavior, but was not ignored for privileged binaries
> (in AT_SECURE mode).  This might allow local attackers (who can supply
> the environment variable) to bypass intended security restrictions.

Use CVE-2015-8777. We don't feel that there is any way to conclude
that this is a vulnerability unless confirmed by the upstream vendor
(and it obviously is confirmed). For example, maybe LD_POINTER_GUARD
was originally envisioned as a defense against remote attacks, and the
ability of unprivileged local users to run setuid/setgid programs with
LD_POINTER_GUARD=0 was an intentional workaround for scenarios in
which pointer guarding was not working properly.

> hcreate((size_t)-1) should fail with ENOMEM
> This is an integer overflow in hcreate and hcreate_r which can result in
> an out-of-bound memory access.  This could lead to application crashes
> or, potentially, arbitrary code execution.

Use CVE-2015-8778. We don't happen to know of any cases in which an
application allows a user to specify hcreate arguments in a way that
crosses a privilege boundary.

> nan function unbounded stack allocation
> A stack overflow (unbounded alloca) can cause applications which process
> long strings with the nan function to crash or, potentially, execute
> arbitrary code.

Use CVE-2014-9761. Here, it seems somewhat more plausible that the nan
argument would ultimately originate from untrusted input in a way that
crosses a privilege boundary. We don't know of a specific example that
would be realistic.

> catopen() Multiple unbounded stack allocations
> A stack overflow (unbounded alloca) in the catopen function can cause
> applications which pass long strings to the catopen function to crash
> or, potentially execute arbitrary code.

Use CVE-2015-8779. At least for the example, we
don't happen to know of any cases in which an application allows a
user to specify an arbitrary pathname in a way that crosses a
privilege boundary, and then decides to catopen that pathname.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.