Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <552F38FC.3010109@redhat.com>
Date: Thu, 16 Apr 2015 09:52:20 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Problems in automatic crash analysis frameworks

On 04/16/2015 09:34 AM, cve-assign@...re.org wrote:

> As far as we can tell, the other issues in the "Furthermore, Abrt
> suffers" section of
> http://openwall.com/lists/oss-security/2015/04/14/4 are about an
> attacker who must create a symlink as part of an attack with a goal of
> making the collected crash data include unintended (and possibly
> private) information. We currently think that a single CVE ID can be
> used for all of them.
> 
> 

IMO two CVEs are required:

"Various symlink flaws in abrt" and "Various race conditions in abrt"

I am not sure if the exploit used one or both of these issues to achieve
privesc, but both of these issues exists, are security flaws and may
have varied impact. (Maybe not easy to exploit?)

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.