Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 May 2014 04:07:32 -0400 (EDT)
Subject: Re: Upcoming security release of fish 2.1.1

Hash: SHA1

> There is also a symlink attack that doesn't depend on a race condition, so we'll
> include a patch for that as well.
> Could we have an additional CVE-ID assigned, please?

First, we should mention that a single CVE ID cannot be used for a set
of related issues that have different affected versions. For the
earlier message that mentioned CVE-2014-2906 and CVE-2014-2914,
approximately two more CVE IDs will be needed. We will send those

For "a symlink attack that doesn't depend on a race condition,"
ultimately the answer is yes, you can have a separate CVE ID - use
CVE-2014-3219. Probably at least a few oss-security readers would want
us to explain why, so here's the explanation for them.

When there are discoveries of two instances of essentially the same
composite, and there's any difference in the set of weaknesses for
those two instances, we might want to have a general rule that two
separate CVE IDs are always assigned. In practice, the Symlink
Following composite is treated as somewhat of a special case in CVE.
If we have one Symlink Following instance associated with two
weaknesses, and a different Symlink Following instance associated with
three weaknesses, we sometimes assign only one CVE ID. Possibly we
will reevaluate that. (There's also often a complication that the
available information is only that distinct Symlink Following
instances exist; the information about the weaknesses is missing.)

For the code fixed in the
commit, an additional factor is that the Symlink Following composite
exists and is relevant, but there's a more important attack that does
not rely on Symlink Following. In between when the temporary filename
is chosen and when the temporary filename is used, the attacker can
place something at the temporary pathname. One option is a symlink,
and fish will follow that symlink and perhaps overwrite an important
file. Another option is a plain world writable file. In that case,
fish writes to the file, but the attacker can change the contents of
the file immediately before fish proceeds to execute the file. Thus,
even if we did the abstraction based on "same commonly used composite
name," we would still end up with a different CVE ID than for the new
"symlink attack that doesn't depend on a race condition" report,
because the pre-c0989dce2d882c94eb3183e7b94402ba53534abb code isn't
solely characterized by a Symlink Following composite. Finally, we
probably don't want to have two CVE IDs for a single case where mktemp
is introduced - even when both Symlink Following and (roughly
speaking) code injection are possible from the same set of weaknesses.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.