Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 31 Mar 2009 21:12:25 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs,
 screen


On Wed, 25 Mar 2009, Jan Lieskovsky wrote:

> 1, zsh Stack-based buffer overflow due improper escaping of the '!' character
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/333722
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108
>    https://bugzilla.redhat.com/show_bug.cgi?id=492089

This doesn't seem like a vulnerability to me.  It's only executable in
interactive mode.  If the attacker can already type in commands, then they
already have the privileges to execute code.

> 2, XFree86-xfs / xorg-x11-xfs Unsafe usage of temporary file
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/xfs/+bug/299560
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107
>    https://bugzilla.novell.com/show_bug.cgi?id=408006
>    https://bugzilla.redhat.com/show_bug.cgi?id=492098

Is this a regression of CVE-2007-3103 (DEBIAN:DSA-1342) or is there
something else going on here?

> 3, screen: Unsafe usage of temporary file
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
>    https://bugzilla.redhat.com/show_bug.cgi?id=492104

CVE-2009-1214 - world-readable permissions
CVE-2009-1215 - symlink following

- Steve

======================================================
Name: CVE-2009-1214
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1214
Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
Reference: MISC:http://savannah.gnu.org/bugs/?25296
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104

GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.


======================================================
Name: CVE-2009-1215
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1215
Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
Reference: MISC:http://savannah.gnu.org/bugs/?25296
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104

Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux