Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 7 Oct 2008 16:56:27 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre
 insecure temp file]


On Sat, 4 Oct 2008, Steffen Joeris wrote:

> The CVE ids issued for sabre regarding the insecure use of the tmp file
> are the same. The issue was introduced by a debian patch, but other
> vendors might have possibly patched it the same way. I suggest to mark
> one of them as a duplicate though, because it might be confusing.

We happened to SPLIT on the symlink issue versus the "can't overwrite
/tmp/sabre.log" issue because fixing the symlink does not necessarily fix
the other problem.  Also, if the patch introduced CVE-2008-4407 and others
might have used that patch, these are distinct errors - someone might have
fixed CVE-2008-4406 but not CVE-2008-4407.

Some more explanation is below; let me know if I'm still missing
something.

I've noticed that Debian generally treats multiple different errors as a
more general "insecure file creation" issue.  For CVE, we haven't figured
out how to handle this.

- Steve

======================================================
Name: CVE-2008-4406
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4406
Acknowledged: yes bug-report
Announced: 20081001
Flaw: link
Reference: MLIST:[oss-security] 20081001 CVE id request: sabre
Reference: URL:http://openwall.com/lists/oss-security/2008/10/01/1
Reference: CONFIRM:http://bugs.debian.org/433996

A certain Debian patch to the run scripts for sabre (aka xsabre)
0.2.4b allows local users to delete or overwrite arbitrary files via a
symlink attack on unspecified .tmp files.


Analysis:
WIKI: Message #10 in bug 433996 says "delete" whereas
oss-security/2008/10/01/1 says "overwriting."

WIKI: It is unclear whether ".tmp files" is different from
/tmp/sabre.log.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.


======================================================
Name: CVE-2008-4407
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4407
Acknowledged: unknown
Announced: 20081001
Flaw: other
Reference: MISC:http://bugs.debian.org/433996

XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create
/tmp/sabre.log, which allows local users to cause a denial of service
(application unavailability) by creating a /tmp/sabre.log file that
cannot be overwritten.


Analysis:
INCLUSION: This seems to be a distinct vulnerability, although this
type of vulnerability happens to accompany cases of symlink
vulnerabilities that involve fixed filenames and unprivileged users.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ