[klibc] [oss-security] Re: [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options
Kurt Seifried
kseifried at redhat.com
Tue May 22 11:11:19 PDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/22/2012 11:30 AM, Kurt Seifried wrote:
> On 05/22/2012 03:18 AM, maximilian attems wrote:
>> On Wed, 18 May 2011, Dan Rosenberg wrote:
>
>>> On Wed, May 18, 2011 at 4:29 PM, maximilian attems
>>> <max at stro.at> wrote:
>>>> On Wed, May 18, 2011 at 04:13:05PM -0400, Dan Rosenberg
>>>> wrote:
>>>>> Might it be worth fixing the insecure temporary file
>>>>> usage?
>>>>>
>>>>> 122 snprintf(fn, sizeof(fn), "/tmp/net-%s.conf",
>>>>> dev->name); 123 f = fopen(fn, "w");
>>>>>
>>>>> What if someone else has already created that file, or put
>>>>> a symlink or hard link there?
>>>>
>>>> for the initramfs case I don't see how. outside of initramfs
>>>> usage I'd agree that this needs fixing.
>>>>
>>>
>>> Right, this only applies after boot is done.
>
>> As klibc main target is initramfs usage this use case hasn't
>> come up much, so wasn't top priority. Just got reminded today by
>> checking ipconfig backlog patches.
>
>>>>> What if someone overwrites your string with command
>>>>> injection characters despite your stripping?
>>>>
>>>> please be more verbose, what example do you have in mind?
>>>>
>>>
>>> Sorry for not being clear. If you're concerned about scripts
>>> parsing this file while it has command injection strings in
>>> it, what's to stop someone from putting a malicious file there
>>> if one doesn't already exist? It sounds like the scripts that
>>> depend on this file should probably be fixed here, or the file
>>> itself should be moved to a location where it's not writable
>>> by unprivileged users.
>
>> ipconfig in latest klibc git uses /run as you suggested.
>> http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary
>
>> thank you.
>
>
> Please use CVE-2012-2382 for this issue.
Please REJECT CVE-2012-2382, this is a duplicate of CVE-2011-1930, I
didn't check far back enough (my bad).
The original (correct assignment) is here:
http://seclists.org/oss-sec/2011/q2/460
Thanks to the security vendor that pointed this out (they did not want
public credit).
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPu9bHAAoJEBYNRVNeJnmTL8IQAIMEzlm10PF1VYv93J5QBeOI
DiDrhGc91MucGviPU4SXJiha+YvV9zuEJfxiuaStR15XhkzHN9k4c89aQgmTHaVH
lYbRMM8qCdhUyH9yz5br496riH8O7tVAdFE+cDoWo3JSmN+rRplN+Y4ibPduKY/B
vfaw+GowQWT5Ff0cm75iWNuiW+agnktJIZODeOwoO2NJl6hXewAPdkE2CjMTNB21
6WdLk47qXngVKum6KvhnBPG24IYJeNsi1P8rscATc01XqWgRXmeC94rLUWkXWbsX
i8OgynKJtNQqP6luEa1mi5PauHviFsYHBYc4pRzvSIU4Gxl7N2cFO7Tf7mi45Qpm
kY1bcAG7aVWCqLiqwI40JOZ9Z4FY3p/dboXaI8GmVbK06eMjjeBDlUx0C5xFZ9qJ
Sn8tWbGkHaHfLMxInrc8yeYUVQ4u+NMs7NFyzCBDhNP7uN+8HhJqMTvCsEOlSIxP
jIXbjI8NZ++eaLNGQyn0RtOa2+Z17XVKE+CoS+H4pfxGX66U/lHtRfxktkG5o9gH
Cs5LIJMfbF3AOJ5uER9I5sqPw4qOCPQr5ip5jyamCTveYl4EcXAJsAdGOwIhuQB8
4sfr49Bu2yItyj9+SBShk5JUVscYsZiPXPhP8WrtUnI9J72dvuwgFkZM8vyh1PPv
bV1/9OFluB7Pkmz98j06
=Yn84
-----END PGP SIGNATURE-----
More information about the klibc
mailing list