oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

incorrect description for CVE-2010-0412 systemtap flaw

From: Vincent Danen <vdanen () redhat com>
Date: Thu, 25 Feb 2010 11:47:01 -0700
Hi Steve and other vendors.  There is a bit of confusion around the
description of CVE-2010-0412.  This was due to some miscommunication as
to whether or not the full extent of the flaw was public, which is why
I didn't send a message sooner to explain why it was assigned.


Name: CVE-2010-0412
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0412
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20100127
Category:
Reference: MLIST:[scm-commits] 20100215 rpms/systemtap/devel systemtap-1.1-tighten-server-params.patch, NONE, 1.1 
systemtap.spec, 1.59, 1.60
Reference: URL:http://lists.fedoraproject.org/pipermail/scm-commits/2010-February/394714.html
Reference: FEDORA:FEDORA-2010-1373
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html
Reference: FEDORA:FEDORA-2010-1720
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html
Reference: BID:38316
Reference: URL:http://www.securityfocus.com/bid/38316

stap-server in SystemTap 1.1 does not properly restrict the value of
the -B (aka BUILD) option, which allows attackers to have an
unspecified impact via vectors associated with executing the make
program, a different vulnerability than CVE-2009-4273.


The original fix for CVE-2009-4273 was incomplete, as noted in the
upstream bug report for the original flaw:

http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c8

This is still the same root flaw as CVE-2009-4273, not a different
vulnerability, so we had assigned CVE-2010-0412 as a "fix for the
incomplete fix of CVE-2009-4273", due to the fact CVE-2009-4273 has this
description:

"stap-server in SystemTap before 1.1 allows remote attackers to execute
arbitrary commands via shell metacharacters in stap command-line
arguments in a request."

The original fix secured only the first link (stap server -> stap), but
the second link (stap -> make) was not fixed.  The -B option is not the
problem so much as an example of the problem.

I think Frank will agree that this is not a new flaw, so the CVE
description should be changed to reflect that.

The -B option is not
the problem so much as an example of the problem.

Upstream's bug report has links to the two patches that solve the
remaining unfixed bits of CVE-2009-4273 (#c10).

Thanks, and my apologies for the confusion on this.

--
Vincent Danen / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: