Re: Re: [klibc] [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2012 11:30 AM, Kurt Seifried wrote:
> On 05/22/2012 03:18 AM, maximilian attems wrote:
> > On Wed, 18 May 2011, Dan Rosenberg wrote:
>
> > > On Wed, May 18, 2011 at 4:29 PM, maximilian attems
> > > <max () stro at> wrote:
> > > > On Wed, May 18, 2011 at 04:13:05PM -0400, Dan Rosenberg
> > > > wrote:
> > > > > Might it be worth fixing the insecure temporary file
> > > > > usage?
> > > > >
> > > > > 122         snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", 
> > > > > dev->name); 123         f = fopen(fn, "w");
> > > > >
> > > > > What if someone else has already created that file, or put
> > > > > a symlink or hard link there?
> > > >
> > > > for the initramfs case I don't see how. outside of initramfs 
> > > > usage I'd agree that this needs fixing.
> > >
> > > Right, this only applies after boot is done.
>
> > As klibc main target is initramfs usage this use case hasn't
> > come up much, so wasn't top priority. Just got reminded today by 
> > checking ipconfig backlog patches.
>
> > > > > What if someone overwrites your string with command
> > > > > injection characters despite your stripping?
> > > >
> > > > please be more verbose, what example do you have in mind?
> > >
> > > Sorry for not being clear.  If you're concerned about scripts 
> > > parsing this file while it has command injection strings in
> > > it, what's to stop someone from putting a malicious file there
> > > if one doesn't already exist?  It sounds like the scripts that
> > > depend on this file should probably be fixed here, or the file
> > > itself should be moved to a location where it's not writable
> > > by unprivileged users.
>
> > ipconfig in latest klibc git uses /run as you suggested. 
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary
>
> > thank you.
>
>
> Please use CVE-2012-2382 for this issue.

Please REJECT CVE-2012-2382, this is a duplicate of CVE-2011-1930, I
didn't check far back enough (my bad).

The original (correct assignment) is here:
http://seclists.org/oss-sec/2011/q2/460

Thanks to the security vendor that pointed this out (they did not want
public credit).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPu9bHAAoJEBYNRVNeJnmTL8IQAIMEzlm10PF1VYv93J5QBeOI
DiDrhGc91MucGviPU4SXJiha+YvV9zuEJfxiuaStR15XhkzHN9k4c89aQgmTHaVH
lYbRMM8qCdhUyH9yz5br496riH8O7tVAdFE+cDoWo3JSmN+rRplN+Y4ibPduKY/B
vfaw+GowQWT5Ff0cm75iWNuiW+agnktJIZODeOwoO2NJl6hXewAPdkE2CjMTNB21
6WdLk47qXngVKum6KvhnBPG24IYJeNsi1P8rscATc01XqWgRXmeC94rLUWkXWbsX
i8OgynKJtNQqP6luEa1mi5PauHviFsYHBYc4pRzvSIU4Gxl7N2cFO7Tf7mi45Qpm
kY1bcAG7aVWCqLiqwI40JOZ9Z4FY3p/dboXaI8GmVbK06eMjjeBDlUx0C5xFZ9qJ
Sn8tWbGkHaHfLMxInrc8yeYUVQ4u+NMs7NFyzCBDhNP7uN+8HhJqMTvCsEOlSIxP
jIXbjI8NZ++eaLNGQyn0RtOa2+Z17XVKE+CoS+H4pfxGX66U/lHtRfxktkG5o9gH
Cs5LIJMfbF3AOJ5uER9I5sqPw4qOCPQr5ip5jyamCTveYl4EcXAJsAdGOwIhuQB8
4sfr49Bu2yItyj9+SBShk5JUVscYsZiPXPhP8WrtUnI9J72dvuwgFkZM8vyh1PPv
bV1/9OFluB7Pkmz98j06
=Yn84
-----END PGP SIGNATURE-----