Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160108005424.5F00C6C005A@smtpvmsrv1.mitre.org>
Date: Thu,  7 Jan 2016 19:54:24 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: netfilter-persistent: (local) information leak due to world-readable rules files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> iptables-persistent (in Debian) is a loader for netfilter configuration
> using a plugin-based architecture.
> 
> iptables-persistent is vulnerable to a (local) information leak due to
> world-readable rules files. It was reported in Debian in
> 
> https://bugs.debian.org/764645
> 
> And fixed via
> 
> https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/commit/?id=37905034f07e94c4298a1762b39b7bbd4063c0df

Do you have any further information about why this should be
considered a vulnerability in general? We realize that it might, at
least, be considered a vulnerability for Debian systems because of
"Tags: security" in the original report.

For example, is there a specific piece of data in the files that is
always supposed to be private?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764645#5 indicates
that an unprivileged user can obtain information by directly opening
the files, but cannot obtain this information with an
"/sbin/iptables -L" command. This does not, by itself, establish that
a security feature has been defeated. It is possible that it was
simply inconvenient to implement the -L option in a way that provided
access to unprivileged users.

What we are trying to avoid is a situation in which CVE IDs are
assigned solely because a system administrator might not want files to
be readable by unprivileged users. For example, maybe someone would
prefer stricter /etc/hosts.allow permissions to prevent rogue local
users from discovering the names of other hosts that possibly have
symmetric "allow" policies.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjwg3AAoJEL54rhJi8gl5KeEP/jez+zmk3CO4xMx9f5yWwSSR
1NHAQ6YpSOWBrrBz1BKvdVYYkfS+OgjvI7Y7XMTPgXG6QRYrYGVa8QqLkE1TlFUr
7q3pgONQ9+O+B15J8cZNSYXcu8paEi641Jrui25jyltadL++FYblJ0kF7uL9q7fF
H/lAsZPKNAID3QBEmhtF7kMrHPmL5+VpWzaxRnnr71nO8v0V5sdUJToXCXI9ZOT8
GQVkAajWcFZX7EqHRchXGGTC2bVXm4UThTLm/HxKTev1rUKt3FbFxJRtLA1KYNBM
jO8ZZ+/zJuY1Yn8UsLhPCornccafv1oOqsxSh0WXWDhYpedM9onlqUeZqeTip/yi
K6nbK1WgcUD7fKJVRjBgmzJbcIw1WtYk0BQg51nXnURcbztZ1ICQwCtEvHwC4xsP
kXBTsXCYHHyzTIPRN2LWWVWzFUMxeDL7PGv8Glf+HGx2OQdycHZlhdKO/eVLy/o0
k/QfcoNxoO4xh42Q9LkyLM/NQ+DNk1bpfMsfOBiFVPdzyzThU5l610EIxVWBumdG
DWWefmwjSryUtuTL7PoGkbUvvExCHmpgzoGTcBAiRHwoA+CZDxqZi0epoODGUkTo
eUbVFKkepd3hO6Bv3v5O0NLIQ3SCRtUSfp7JTFaWLRfxdlDuod7V4Khxwvwwj6lA
QBOU0aocrXDg6aAoneV5
=FspR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.