[klibc] [oss-security] Re: [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options

Tue May 22 11:11:19 PDT 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2012 11:30 AM, Kurt Seifried wrote:
> On 05/22/2012 03:18 AM, maximilian attems wrote:
>> On Wed, 18 May 2011, Dan Rosenberg wrote:
> 
>>> On Wed, May 18, 2011 at 4:29 PM, maximilian attems
>>> <max at stro.at> wrote:
>>>> On Wed, May 18, 2011 at 04:13:05PM -0400, Dan Rosenberg
>>>> wrote:
>>>>> Might it be worth fixing the insecure temporary file
>>>>> usage?
>>>>> 
>>>>> 122         snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", 
>>>>> dev->name); 123         f = fopen(fn, "w");
>>>>> 
>>>>> What if someone else has already created that file, or put
>>>>> a symlink or hard link there?
>>>> 
>>>> for the initramfs case I don't see how. outside of initramfs 
>>>> usage I'd agree that this needs fixing.
>>>> 
>>> 
>>> Right, this only applies after boot is done.
> 
>> As klibc main target is initramfs usage this use case hasn't
>> come up much, so wasn't top priority. Just got reminded today by 
>> checking ipconfig backlog patches.
> 
>>>>> What if someone overwrites your string with command
>>>>> injection characters despite your stripping?
>>>> 
>>>> please be more verbose, what example do you have in mind?
>>>> 
>>> 
>>> Sorry for not being clear.  If you're concerned about scripts 
>>> parsing this file while it has command injection strings in
>>> it, what's to stop someone from putting a malicious file there
>>> if one doesn't already exist?  It sounds like the scripts that
>>> depend on this file should probably be fixed here, or the file
>>> itself should be moved to a location where it's not writable
>>> by unprivileged users.
> 
>> ipconfig in latest klibc git uses /run as you suggested. 
>> http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary
> 
>> thank you.
> 
> 
> Please use CVE-2012-2382 for this issue.

Please REJECT CVE-2012-2382, this is a duplicate of CVE-2011-1930, I
didn't check far back enough (my bad).

The original (correct assignment) is here:
http://seclists.org/oss-sec/2011/q2/460

Thanks to the security vendor that pointed this out (they did not want
public credit).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPu9bHAAoJEBYNRVNeJnmTL8IQAIMEzlm10PF1VYv93J5QBeOI
DiDrhGc91MucGviPU4SXJiha+YvV9zuEJfxiuaStR15XhkzHN9k4c89aQgmTHaVH
lYbRMM8qCdhUyH9yz5br496riH8O7tVAdFE+cDoWo3JSmN+rRplN+Y4ibPduKY/B
vfaw+GowQWT5Ff0cm75iWNuiW+agnktJIZODeOwoO2NJl6hXewAPdkE2CjMTNB21
6WdLk47qXngVKum6KvhnBPG24IYJeNsi1P8rscATc01XqWgRXmeC94rLUWkXWbsX
i8OgynKJtNQqP6luEa1mi5PauHviFsYHBYc4pRzvSIU4Gxl7N2cFO7Tf7mi45Qpm
kY1bcAG7aVWCqLiqwI40JOZ9Z4FY3p/dboXaI8GmVbK06eMjjeBDlUx0C5xFZ9qJ
Sn8tWbGkHaHfLMxInrc8yeYUVQ4u+NMs7NFyzCBDhNP7uN+8HhJqMTvCsEOlSIxP
jIXbjI8NZ++eaLNGQyn0RtOa2+Z17XVKE+CoS+H4pfxGX66U/lHtRfxktkG5o9gH
Cs5LIJMfbF3AOJ5uER9I5sqPw4qOCPQr5ip5jyamCTveYl4EcXAJsAdGOwIhuQB8
4sfr49Bu2yItyj9+SBShk5JUVscYsZiPXPhP8WrtUnI9J72dvuwgFkZM8vyh1PPv
bV1/9OFluB7Pkmz98j06
=Yn84
-----END PGP SIGNATURE-----