|
Message-Id: <20150212172721.E686672E133@smtpvbsrv1.mitre.org> Date: Thu, 12 Feb 2015 12:27:21 -0500 (EST) From: cve-assign@...re.org To: Todd.Miller@...rtesan.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: sudo TZ issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your February 9 message said "CVE request," your February 11 message didn't withdraw the request, and you mentioned that 'the promise that commands be started with a "safe" environment' is an intended property of sudo. That's sufficient for a CVE; use CVE-2014-9680. > There are really two issues here: exposure of TZ parsing bugs and > access to arbitrary (potentially user-controlled) files. I'm happy > to put the blame for TZ parsing bugs on libc or the application. > However, there is no real way for the application to tell that it > is being run by an unprivileged user and that operations that would > otherwise be safe (opening a user-specified time zone file) may be > dangerous. The scope of CVE-2014-9680 is limited to the undesired ability of an attacker to trigger an open call for a pathname outside the zoneinfo directory (whether this is done with an absolute pathname or a relative pathname). The scope of CVE-2014-9680 does not include blocking other types of invalid or potentially malicious TZ values. For example: > It is longer than the value of PATH_MAX. It seems simple to envision a program for which a length of PATH_MAX-2 triggers a buffer overflow. Even if such a program were known, we wouldn't want to assign a CVE ID to sudo on the basis that PATH_MAX-2 isn't blocked. > http://openwall.com/lists/oss-security/2014/10/15/24 > Procmail is another program that recklessly whitelists TZ Use CVE-2014-9681 for the similar issue in procmail. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU3OIQAAoJEKllVAevmvms/M0H+QGrI9RHIuVe3o1srcyy7fSx qKl/T8hMjXLp5dliRa2MlTCHFqzpzuT/v+xeAk7u7HIRTyfo8eKqO5PJZANCTG3m 0dlBICOjLx3ne3QyP+2DSJM+iSh0Z5Qz2vpUKz05Ry0jSzEY/cF/t7NBPEo0f0pw CDMK/BxMVbhYHZnRs4MmCU0hPG2w0q/aa4I45rVJilB3z+sF1IDClw/uJWu3ZAMi ysAb278nfhMVzAklvzdwb2jpjk41orPPXY6XRGL2lsIEbZ+CFDPJs6mEW8q1oYxJ BE3nxsblJ543Y2KGkGVXXxg485H4FBhMkBL/znFmzPkHUKeTh3wl271d3krpbJU= =bEKj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.