Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 01 Apr 2009 14:15:17 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs,
	screen

Hello Steve,

On Tue, 2009-03-31 at 21:12 -0400, Steven M. Christey wrote:
> On Wed, 25 Mar 2009, Jan Lieskovsky wrote:
> 
> > 1, zsh Stack-based buffer overflow due improper escaping of the '!' character
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/333722
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492089
> 
> This doesn't seem like a vulnerability to me.  It's only executable in
> interactive mode.  If the attacker can already type in commands, then they
> already have the privileges to execute code.

Fair enough.

> 
> > 2, XFree86-xfs / xorg-x11-xfs Unsafe usage of temporary file
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/xfs/+bug/299560
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107
> >    https://bugzilla.novell.com/show_bug.cgi?id=408006
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492098
> 
> Is this a regression of CVE-2007-3103 (DEBIAN:DSA-1342) or is there
> something else going on here?

Yeah, this is CVE-2007-3103.

> 
> > 3, screen: Unsafe usage of temporary file
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492104
> 
> CVE-2009-1214 - world-readable permissions
> CVE-2009-1215 - symlink following

Thanks.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> - Steve
> 
> ======================================================
> Name: CVE-2009-1214
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1214
> Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
> Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
> Reference: MISC:http://savannah.gnu.org/bugs/?25296
> Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104
> 
> GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
> world-readable permissions, which might allow local users to obtain
> sensitive session information.
> 
> 
> ======================================================
> Name: CVE-2009-1215
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1215
> Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
> Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
> Reference: MISC:http://savannah.gnu.org/bugs/?25296
> Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104
> 
> Race condition in GNU screen 4.0.3 allows local users to create or
> overwrite arbitrary files via a symlink attack on the
> /tmp/screen-exchange temporary file.
> 
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux