Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.51.0903312049060.1590@faron.mitre.org>
Date: Tue, 31 Mar 2009 21:12:25 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs,
 screen


On Wed, 25 Mar 2009, Jan Lieskovsky wrote:

> 1, zsh Stack-based buffer overflow due improper escaping of the '!' character
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/333722
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108
>    https://bugzilla.redhat.com/show_bug.cgi?id=492089

This doesn't seem like a vulnerability to me.  It's only executable in
interactive mode.  If the attacker can already type in commands, then they
already have the privileges to execute code.

> 2, XFree86-xfs / xorg-x11-xfs Unsafe usage of temporary file
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/xfs/+bug/299560
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107
>    https://bugzilla.novell.com/show_bug.cgi?id=408006
>    https://bugzilla.redhat.com/show_bug.cgi?id=492098

Is this a regression of CVE-2007-3103 (DEBIAN:DSA-1342) or is there
something else going on here?

> 3, screen: Unsafe usage of temporary file
>    References:
>    https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
>    https://bugzilla.redhat.com/show_bug.cgi?id=492104

CVE-2009-1214 - world-readable permissions
CVE-2009-1215 - symlink following

- Steve

======================================================
Name: CVE-2009-1214
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1214
Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
Reference: MISC:http://savannah.gnu.org/bugs/?25296
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104

GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.


======================================================
Name: CVE-2009-1215
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1215
Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
Reference: MISC:http://savannah.gnu.org/bugs/?25296
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104

Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.