Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Jun 2014 01:17:57 -0400 (EDT)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: multiple /tmp races in ppc64-diag

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.novell.com/show_bug.cgi?id=882667
> https://bugzilla.redhat.com/show_bug.cgi?id=1109371


> In the case of rtas_errd/prrn_hotplug, mktemp is used but is assumed
> to have succeeded; there is no check for the return value.

Are you reporting this as a prrn_hotplug vulnerability? If it were a
vulnerability, it would have a separate CVE ID. We didn't test the
code, but it looks more like an opportunity for a non-security
enhancement or maybe a bug fix. Our guess is:

  1. If the return value is nonzero, stdout is an empty string.

  2. All of the ">> $TMPFILE" will fail, and won't write anything into
     any file.

  3. The outcome is that /var/log/prrn_log doesn't have log
     information about what happened. We don't know of any direct
     security implications.

  4. Possibly the code should check the return value and print
     something like "mktemp failed - maybe you're out of /tmp disk
     space?" but it might be better to let the rest of the script run
     anyway (i.e., not abort after that error condition).

At least for now, there is no CVE ID for prrn_hotplug.


> I don't know if the data in /tmp/diagSEsnap is sensitive or not

  mkdir "/tmp/diagSEsnap", 0775;
  $general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz";
  system("/usr/sbin/snap -o $general_eed_file 2>/dev/null 1>&2");

This seems to be similar to the CVE-2014-3925 sosreport issue.
snapH.tar.gz apparently will include /etc/fstab and therefore might
include a password.
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-54819
says "When you report a problem to IBM Technical Support, run the snap
utility and send the ... file to them." In addition, snapH.tar.gz
apparently will include /var/log/messages, which traditionally is not
supposed to be a world-readable file.

(snap and sosreport aren't derivatives of the same code.)

Also, the question of whether "/usr/sbin/snap -o $general_eed_file" is
exploitable may depend on the behavior of snap. Apparently, snap does
check whether the -o output file exists but doesn't avoid TOCTOU
problems. Arguably, snap isn't responsible for avoiding TOCTOU
problems because it's not inherently designed for use with untrusted
output filenames.

So, three CVEs seems to be the right number here.

The ppc64-diag unsafe uses of temporary directories in these three
scenarios:

  "> /tmp/get_dt_files" [ in rtas_errd/diag_support.c ]
  
  mkdir "/tmp/diagSEsnap", 0775;
  $general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz";
  system("/usr/sbin/snap -o $general_eed_file 2>/dev/null 1>&2");
  [ in scripts/ppc64_diag_mkrsrc ]

  TMP_DIR="/var/tmp/ras"
  mkdir -p $TMP_DIR
  MESSAGE_FILE="$TMP_DIR/messages"
  [ in lpd/test/lpd_ela_test.sh - see Novell bug 882667 ]

are primarily of interest because of symlink following, and are all
assigned CVE-2014-4038.

A second CVE for the ppc64-diag product is for the choice of weak
directory/file permissions for the snapH.tar.gz archive including data
that is not locally world-readable (e.g., /var/log/messages). This is
CVE-2014-4039.

A third CVE, CVE-2014-4040, is assigned for snap itself. snap can be
found at http://sourceforge.net/projects/powerpc-utils (i.e., it's not
part of the ppc64-diag product). This CVE is the one analogous to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3925 (i.e., it
includes the "cleartext passwords ... lacks a warning" rationale).

CVE-2014-4039 and CVE-2014-4040 are vulnerabilities in different
products and can be addressed independently. For example, snapH.tar.gz
could have restrictive local permissions and still be sent to a remote
destination without review. Alternatively, snapH.tar.gz could continue
to have weak local permissions but snap could require the user to
acknowledge a warning about off-site distribution of an fstab
password, etc.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTn86OAAoJEKllVAevmvmsfkwIAKlbcEZenTWaedEVBs+NtrwN
VwvDgbTjl3fjXFVT+uSctiVwYbA4ZWQLD99SuaO+p7dGfh8/tTFap0Oo8vZ7nNgU
8uQ9/VH3zLm3MUwrpW9GWucGN0hfY6zKZ2hDU9UTYrQGTzIiQWlUVbjsWO99HLcM
vsk7/7nr9e/Jn4ke6/jNiTDLjnr8vENJx7oLui0kBrOZ+/PIrhtuO3A3aH/gN6cC
EQOxSppTeHR0v+DnikTj3i87x7VNGLDAGanATXw+qomrIenzP0TiadgLhBW/0J6/
9Y5YGlJRUs3IC2nZqb6OiOzK1T2I+wzVFo8QQGmIsNZV1LLhi78HHlrfYa36R+Y=
=Ygvd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.