|
Message-Id: <20150925200413.DC3B16C406D@smtpvmsrv1.mitre.org> Date: Fri, 25 Sep 2015 16:04:13 -0400 (EDT) From: cve-assign@...re.org To: austinenglish@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for wget -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html > https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00020.html > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099 We really don't understand what set of expectations led to this becoming a CVE request for a vulnerability in wget. We know that a design goal of Tails is to prevent Internet servers from discovering the IP address of a machine running Tails. Possibly it's a design requirement of Tails that a developer needs to "torify" every piece of Internet client software before it can be shipped with the Tails distribution, and that a failure of a torify step is, by definition, a Tails vulnerability. (torify is explained on the https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO page.) If that's true, then a CVE ID can be provided for the Tails product. One of the things that happened is that the upstream wget developer made a change that we would categorize as a functionality/usability-versus-privacy tradeoff. Specifically, upstream decided it was better to omit the automatic fallback from passive to active. As far as we can tell, upstream hasn't announced this as a "wget vulnerability" -- they just reconsidered the tradeoff. A reconsidered tradeoff is generally outside the scope of CVE. We believe that reasonable behavior for wget on Tails is very different from reasonable behavior for the standard upstream distribution. Also, references such as https://bugzilla.suse.com/show_bug.cgi?id=944858#c4 suggest that there's a concern even without Tor: "An second information leak scenario is leaking of an internal IP address (e.g. from a private range) to an external entity when connecting through NAT." So, some of the options for sets of expectations are: 1. No piece of Internet client software may support any protocol feature in which the end-client machine's IP address is sent as part of application data. If any such feature is supported, it is a vulnerability because someone might try to use that protocol feature in conjunction with NAT, or Tor, or another type of proxy, and privacy would be compromised. This would, for example, mean that every FTP client must either completely rip out support for active mode, or at least warn the user that it is unsupported and require explicit user confirmation before proceeding. 2. Internet client software developers are responsible for providing a privacy-friendly configuration setting in which the end-client machine's IP address is never sent as part of application data. In the wget case, maybe this would be a wgetrc line of "passive_ftp = always" or "active_ftp = off" (i.e., active mode would never be used, either first or as a fallback). 3. Internet client software developers have a much wider range of reasonable behavior, although wrong documentation needs to be avoided. Specifically, NAT users aren't entitled to expect that their IP address (in a case such as FTP) will remain secret unless a developer chooses to explicitly document NAT privacy behavior. Tor users aren't entitled to expect that all of the necessary torify steps have been done in the upstream distribution. The torify steps are the responsibility of Tor-oriented products such as the Tor Browser Bundle (and possibly Tails, if torifying everything is their policy). (As one of the references mentioned, missing torify steps for wget aren't a new concept; see the https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html post from 2012.) Currently, for CVE assignment, options 1 and 2 are more or less false, and option 3 is more or less true. If an upstream developer makes a decision to do privacy hardening to avoid address disclosure, that's great, but regardless of the decision, there typically won't be a CVE ID assigned to that upstream product. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWBabRAAoJEL54rhJi8gl5PngP/3vNxfQYa3M50eLYPNsMzreo LN48gBIzf96DwffplTex2BgJRHpXKEdvQvetvjmc3TWb77Dl8J9F9pOfwCKAapCI 7wMoyR2f/WpaDs0RI4NIeGjh4UorLlN5NaRdIOfdvxfGD4rLSJY4wz12AvGvaUh9 Ynk8JlBbx++CSsEF6WCfOYFPSKDzF2c7hYrR2IR7+QPiKo7YSDp7Jy/gp2FuyI4p GH6T6SrbDHuw9YqtNACzp+TCRGJxuqAeXVhGqNdViiLZurhTl0hHkl4TsRIHwDPn SmaMnLLx3YbTwkpC1vH9aGTVeKCbXjt7RPDTy1v2dZSUMiljJXca892NkfJOqvXx piy0afjD9aXNhW1C1nkVlPC0zrCwa4cxxhm1M/T9k+18L1weYixl/pQnlZYAa+OH Lc5/YQPcpAqHQkk1Kyksl+qFjgmeXkUToPd1jgss6YVuuBnHku3gZjwTn5msM3i/ wN7FRBAB8CQvMCW/7Gkr0uYBfdlTo9o7tuvB5whdTzr2xyXpey0ns7axNX1FaY7b ut8HonGQryLBZexBdskOLVr0H+ihRjCd7AX/ijUUo5o8mNSAG/s0Y3Uh2W8MGrir n9p9k/r+aH82u+yoeJuTUT2QpWfJO4nYB6m84d8gl51gQlX2+FrXaRcFXkJkwrUY g66Lp4JhmaTWTiVpf1yX =RjXG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.