oss-sec mailing list archives
Re: Re: Problems in automatic crash analysis frameworks
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 16 Apr 2015 09:52:20 +0530
On 04/16/2015 09:34 AM, cve-assign () mitre org wrote:
As far as we can tell, the other issues in the "Furthermore, Abrt suffers" section of http://openwall.com/lists/oss-security/2015/04/14/4 are about an attacker who must create a symlink as part of an attack with a goal of making the collected crash data include unintended (and possibly private) information. We currently think that a single CVE ID can be used for all of them.
IMO two CVEs are required: "Various symlink flaws in abrt" and "Various race conditions in abrt" I am not sure if the exploit used one or both of these issues to achieve privesc, but both of these issues exists, are security flaws and may have varied impact. (Maybe not easy to exploit?) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- Re: Re: Problems in automatic crash analysis frameworks, (continued)
- Re: Re: Problems in automatic crash analysis frameworks Marc Deslauriers (Apr 14)
- Re: Re: Problems in automatic crash analysis frameworks Michael Samuel (Apr 14)
- Re: Re: Problems in automatic crash analysis frameworks Marc Deslauriers (Apr 14)
- Re: Re: Problems in automatic crash analysis frameworks Kurt Seifried (Apr 14)
- Re: Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 15)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 15)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)
- Re: Problems in automatic crash analysis frameworks Hanno Böck (Apr 15)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)
- Re: Problems in automatic crash analysis frameworks cve-assign (Apr 15)
- Re: Re: Problems in automatic crash analysis frameworks Huzaifa Sidhpurwala (Apr 15)
- Re: Problems in automatic crash analysis frameworks cve-assign (Apr 15)
- Re: Re: Problems in automatic crash analysis frameworks Huzaifa Sidhpurwala (Apr 15)
- Re: Problems in automatic crash analysis frameworks cve-assign (Apr 16)
- Re: Re: Problems in automatic crash analysis frameworks Huzaifa Sidhpurwala (Apr 15)
- Re: Problems in automatic crash analysis frameworks Grandma Eubanks (Apr 17)
- Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 23)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (May 05)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (May 05)