Re: duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre insecure temp file]

["Steven M. Christey" <coley () linus mitre org>]

On Sat, 4 Oct 2008, Steffen Joeris wrote:

> The CVE ids issued for sabre regarding the insecure use of the tmp file
> are the same. The issue was introduced by a debian patch, but other
> vendors might have possibly patched it the same way. I suggest to mark
> one of them as a duplicate though, because it might be confusing.

We happened to SPLIT on the symlink issue versus the "can't overwrite
/tmp/sabre.log" issue because fixing the symlink does not necessarily fix
the other problem.  Also, if the patch introduced CVE-2008-4407 and others
might have used that patch, these are distinct errors - someone might have
fixed CVE-2008-4406 but not CVE-2008-4407.

Some more explanation is below; let me know if I'm still missing
something.

I've noticed that Debian generally treats multiple different errors as a
more general "insecure file creation" issue.  For CVE, we haven't figured
out how to handle this.

- Steve

======================================================
Name: CVE-2008-4406
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4406
Acknowledged: yes bug-report
Announced: 20081001
Flaw: link
Reference: MLIST:[oss-security] 20081001 CVE id request: sabre
Reference: URL:http://openwall.com/lists/oss-security/2008/10/01/1
Reference: CONFIRM:http://bugs.debian.org/433996

A certain Debian patch to the run scripts for sabre (aka xsabre)
0.2.4b allows local users to delete or overwrite arbitrary files via a
symlink attack on unspecified .tmp files.


Analysis:
WIKI: Message #10 in bug 433996 says "delete" whereas
oss-security/2008/10/01/1 says "overwriting."

WIKI: It is unclear whether ".tmp files" is different from
/tmp/sabre.log.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.


======================================================
Name: CVE-2008-4407
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4407
Acknowledged: unknown
Announced: 20081001
Flaw: other
Reference: MISC:http://bugs.debian.org/433996

XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create
/tmp/sabre.log, which allows local users to cause a denial of service
(application unavailability) by creating a /tmp/sabre.log file that
cannot be overwritten.


Analysis:
INCLUSION: This seems to be a distinct vulnerability, although this
type of vulnerability happens to accompany cases of symlink
vulnerabilities that involve fixed filenames and unprivileged users.

ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to
"grave," implying acknowledgement.