Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201404030424.s334OGBP017273@linus.mitre.org>
Date: Thu, 3 Apr 2014 00:24:16 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: KAuth security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems that, from the current
https://bugzilla.novell.com/show_bug.cgi?id=864716 progress, this
issue is not yet fixed, but possibly the primary affected "product"
has been established.

Two different products have been discussed:

1. KAuth
2. PolicyKit Library Qt Bindings (aka polkit-qt-1)

The discussion seems to suggest that the issue can't be properly fixed
by changing only polkit-qt-1, and letting KAuth continue to use
polkit-qt-1 in exactly the current way. Thus, the issue apparently
should be considered a KAuth vulnerability, not a polkit-qt-1
vulnerability.

Also, based on the information provided in the
http://www.openwall.com/lists/oss-security/2013/09/18/6 post, a
separate CVE ID is needed, not CVE-2013-4288.

Finally, there is apparently only one underlying problem in KAuth. The
problem is restated in
https://bugzilla.novell.com/show_bug.cgi?id=864716#c14 with an
example, i.e.,

  Consider org.kde.fontinst.service DBUS service, that is activated on
  behalf of users request as a root service. It will therefore run with
  uid 0, even if triggered by user. For now it is just using the pid of
  user requesting the service. Thats racy and the thing we want to fix.

but this seems equivalent to the original problem statement in the
http://www.openwall.com/lists/oss-security/2014/03/24/2 post.

So, would it be best to assign one CVE ID now, even though the final
approach to fixing the vulnerability is unknown?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTPOH3AAoJEKllVAevmvmsoc4H/iAjcWjMCeRNAAcgMu9uCOyC
rY7Se/TLWr3IswLAhB0W9ypyPkkO/vlO0lBocnoK5dzHCXhQK+SyqTUwcIBIeEsf
mhNH+NTY6ezYDjBq/l++HZtx4ATbGhgSQq/RRzduAFBDJ/fX72Yk8zkKLqVUBjUi
oUdEq0LyGzzs17094vgFUy4f5JpCXX4/5CjXJgMpQmTWz3DiA3heE1HS/CmJOWiq
3lxpX5zgdvsHOeK94KFFnnMdNs74h9KNYu89CWZn1/KOl8Ty5rvBterPOrlEHzb1
D4cnhxtMBBDFjmQpSpEIDJMv3rHTVg6oD8wb0SjpVCI/K8Ntyoc1FsjCN3cinzc=
=WB0D
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.