Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20141006064318.4D8B7C5057B@smtptsrv1.mitre.org>
Date: Mon,  6 Oct 2014 02:43:18 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, mbriza@...hat.com
Subject: Re: various sddm vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: mbriza@...hat.com

> Although we don't believe any of the issues you reported could lead to
> a privilege escalation (as some of the resulting bugreports suggest),
> we consider them to be security issues.

> https://github.com/sddm/sddm/pull/279

> https://bugzilla.suse.com/show_bug.cgi?id=897788#c6
> sddm user is not available for choosing in the first place

As far as we can tell, the vendor considers it a vulnerability for
unauthenticated logins as sddm to succeed, so we'll assign
CVE-2014-7271. The conditions under which this can happen are not
clear; maybe one or more of these is true:

  - sddm is a regular user account, not a uid-below-1000 account, on
    some systems because a Linux distribution is allowed to customize
    the sddm account name in its own sddm package

  - sddm is a regular user account, not a uid-below-1000 account, on
    some systems because that username was in use before sddm was
    installed

  - there's a way to choose to login as sddm even if sddm isn't on the
    list of users


> https://bugzilla.suse.com/show_bug.cgi?id=897788#c7
> https://bugzilla.suse.com/show_bug.cgi?id=897788#c8
> https://bugzilla.suse.com/show_bug.cgi?id=897788#c9
> https://github.com/sddm/sddm/pull/280

Apparently the primary problem is unsafe write operations into a
directory that's completely controlled by a unprivileged user. (The
chown is, in some sense, a write operation on security-relevant file
metadata.) Use CVE-2014-7272 for all of these three.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUMjmKAAoJEKllVAevmvmsyBcH/RNiNIUywq9yYODGZ1/2bPWU
acu4SMFvHtZ0eP26c1KYq5R7WJG/3TQwCz9OdA1SjfxcIwnBGNFOd+f85SA95v/t
QVS7kLmGZQ74Z+zd+WQBDd5HNIQRpz3hJM1ppIMDwQY3xgulRN71GUKI/IRNVAL/
cxIxHnhqPWoO7Uc0+3IRZkp7fJ07+NQZreaUMxBZWYe/hE5tJXxhQIM+wuFJ0XEs
DMjs2gRspQQiv2TRQX1S09vg7oVdrgTIkJPJsVPqqzMBjq6mMYIIj/yuKiU8pel+
EMBZtSedbJESOawciOKsrFLJ1ZaYGydOhKFBhu4DHAf1FXl7Ii+h8QDeOOSF+5M=
=GZYa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.