Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 May 2014 14:21:19 -0400 (EDT)
Subject: Re: Upcoming security release of fish 2.1.1

Hash: SHA1


> First, we should mention that a single CVE ID cannot be used for a set
> of related issues that have different affected versions. For the
> earlier message that mentioned CVE-2014-2906 and CVE-2014-2914,
> approximately two more CVE IDs will be needed. We will send those
> later.

>> CVE-2014-2906: fish temporary file creation vulnerable to race condition
>> leading to privilege escalation
>>   Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files,
>>   allowing privilege escalation to those of any user running fish, including
>>   root.
>>   Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive),
>>   fish will read data using the psub function from these temporary files,
>>   meaning that the input of commands used with the psub function is under the
>>   control of the attacker.

This actually needs two CVE IDs because there are two affected
functions, with different sets of affected versions. (For example,
there is a psub vulnerability in version 1.22.0, but there is no
funced vulnerability in 1.22.0 because funced didn't yet exist.)

For the psub vulnerability, please continue to use CVE-2014-2906.

For the funced vulnerability, please use CVE-2014-3856.

>>   fish version 2.1.1 restricts incoming connections to localhost only. At this
>>   stage, users should avoid running fish_config on systems where there are
>>   untrusted local users, as they are still able to connect to the fish_config
>>   service and elevate their privileges to those of the user running
>>   fish_config.

At present, we're not assigning an additional CVE ID for this "local
users ... elevate their privileges" issue. Our interpretation is that
you're not trying to make an announcement that 2.1.1 is a vulnerable
version. Instead, you're trying to document the machine environment on
which fish_config in 2.1.1 can be safely used (i.e., machines with
untrusted local users are not fully supported for fish_config at the
moment). If you actually wanted a CVE ID for versions 2.1.1 and
earlier, referring to the fish_config attack by local users, please
let us know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.