oss-sec mailing list archives
incorrect description for CVE-2010-0412 systemtap flaw
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 25 Feb 2010 11:47:01 -0700
Hi Steve and other vendors. There is a bit of confusion around the description of CVE-2010-0412. This was due to some miscommunication as to whether or not the full extent of the flaw was public, which is why I didn't send a message sooner to explain why it was assigned.
Name: CVE-2010-0412 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0412 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20100127 Category: Reference: MLIST:[scm-commits] 20100215 rpms/systemtap/devel systemtap-1.1-tighten-server-params.patch, NONE, 1.1 systemtap.spec, 1.59, 1.60 Reference: URL:http://lists.fedoraproject.org/pipermail/scm-commits/2010-February/394714.html Reference: FEDORA:FEDORA-2010-1373 Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html Reference: FEDORA:FEDORA-2010-1720 Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html Reference: BID:38316 Reference: URL:http://www.securityfocus.com/bid/38316 stap-server in SystemTap 1.1 does not properly restrict the value of the -B (aka BUILD) option, which allows attackers to have an unspecified impact via vectors associated with executing the make program, a different vulnerability than CVE-2009-4273.
The original fix for CVE-2009-4273 was incomplete, as noted in the upstream bug report for the original flaw: http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c8 This is still the same root flaw as CVE-2009-4273, not a different vulnerability, so we had assigned CVE-2010-0412 as a "fix for the incomplete fix of CVE-2009-4273", due to the fact CVE-2009-4273 has this description: "stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request." The original fix secured only the first link (stap server -> stap), but the second link (stap -> make) was not fixed. The -B option is not the problem so much as an example of the problem. I think Frank will agree that this is not a new flaw, so the CVE description should be changed to reflect that. The -B option is not the problem so much as an example of the problem. Upstream's bug report has links to the two patches that solve the remaining unfixed bits of CVE-2009-4273 (#c10). Thanks, and my apologies for the confusion on this. --Vincent Danen / Red Hat Security Response Team
Current thread:
- incorrect description for CVE-2010-0412 systemtap flaw Vincent Danen (Feb 25)