Date: Tue, 10 Nov 2009 00:26:46 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: oping allows the disclosure of 
 arbitrary file contents


On Mon, 9 Nov 2009, Steven M. Christey wrote:

: On Sat, 17 Oct 2009, yersinia wrote:
: 
: > On Fri, Oct 16, 2009 at 10:06 PM, Josh Bressers <bressers@...hat.com> wrote:
: > > ----- "Julien Tinnes" <julien.tinnes@...il.com> wrote:
: > >
: > > [snip]
: > >
: > > I took a look in the oping source. Without another security flaw, this is just
: > > a bug, oping doesn't do anything while still root that could be an issue. I
: > > agree that it should be fixed, it is a serious bug, but an attacker cannot do
: > > anything nefarious with this flaw.
: > I think that the upstream mantainer should be have the last word
: > http://verplant.org/liboping/
: 
: This says:
: 
:   2009-09-29 Version 1.3.3 is available. The new release fixes a serious
:   security issue in oping: If the application is installed with the
:   SetUID-bit, anybody on the system could use oping to read arbitrary
:   files using the "-f" option.
: 
: So as stated, this sounds worthy of a CVE to me.  Thoughts?

Is it so different than "vulnerable if dangerous_php_option=true is 
configured"? I guess the distinction is that we know many systems 
configure PHP with dangerous options, while admins generally don't run 
around slapping SUID on everything. 

To me, it is a vuln if there is a reasonable case where it may be SUID, 
or called with increased privileges.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.