Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201402251819.s1PIIxBp014045@linus.mitre.org>
Date: Tue, 25 Feb 2014 13:18:59 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for catfish program

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I was looking at the installed script on a Fedora 19 box

Apparently the situation is that the Fedora catfish.spec file
generates the duplicate checks for $APPNAME.py. It's uncommon to have
different CVE mappings for Fedora-shipped versions versus upstream
versions, but in this case we'll proceed to do that because the CVE
abstraction was already stated that way, and the attack vectors are
actually different.

catfish.py in the current working directory - Use CVE-2014-2093.

catfish.pyc in the current working directory - Use CVE-2014-2094.

bin/catfish.pyc under the current working directory - Use
CVE-2014-2095.

bin/catfish.py under the current working directory - Use
CVE-2014-2096.

If someone installs the upstream version of either catfish 0.4.0.2 or
catfish 0.8.2, they get a script that unsafely looks for both
catfish.pyc and catfish.py.

If someone installs either the Fedora 19 catfish-0.4.0.2-2 package or
the Fedora 20 catfish-0.8.2-1 package, they get a script that unsafely
looks for only catfish.py (twice).

This apparently occurs because of:

[Fedora 19 catfish.spec]
%{__sed} -i.byte \
        -e 's|pyc|py|' \
        %{name}.in

[Fedora 20 catfish.spec]
%{__sed} -i.byte \
        -e 's|pyc|py|' \
        bin/%{name}.in.in

We don't know why that was done. (Maybe Fedora has a policy against
certain uses of .pyc files, and this policy is implemented in
the .spec files of various packages?)

This specific case isn't very interesting because every one of the
mentioned versions of catfish on every platform is actually
vulnerable. However, probably no Fedora advisory should map to either
CVE-2014-2094 or CVE-2014-2095.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTDN2+AAoJEKllVAevmvmsPDcIAKLt8d3r+Olt8pIdmwopfY02
DwiRNxpYjheWVGboN9z5daSaCFkVjAT6SRFrXJKF4l/mQF1RtBSk2LpRgs7v4x9B
4ttIx3/agJO5nPXLrHW4BNNrcjni42GInvUQa29YyZbFN19Z2YjQJbMeFDEjqE1F
cY8sR0ZEQKPhrb60Njk+QY7ATe25eMHMOm9KyrEvggj/EvPthq24nbf3uhvfB60A
oQByal7gfCy0oOaOdoAB2ub9b2Gz0n2PfOKeoCFqgHgvlBzVRkM+EKNsYGbLBq28
xaBrzf0byXKOGlL1FPYt9TyHsXRqGuRXsrxihpxiygOffJT+3a7TN+p3lnsMa1k=
=3v2f
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.