oss-sec mailing list archives
Re: duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre insecure temp file]
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 7 Oct 2008 16:56:27 -0400 (EDT)
On Sat, 4 Oct 2008, Steffen Joeris wrote:
The CVE ids issued for sabre regarding the insecure use of the tmp file are the same. The issue was introduced by a debian patch, but other vendors might have possibly patched it the same way. I suggest to mark one of them as a duplicate though, because it might be confusing.
We happened to SPLIT on the symlink issue versus the "can't overwrite /tmp/sabre.log" issue because fixing the symlink does not necessarily fix the other problem. Also, if the patch introduced CVE-2008-4407 and others might have used that patch, these are distinct errors - someone might have fixed CVE-2008-4406 but not CVE-2008-4407. Some more explanation is below; let me know if I'm still missing something. I've noticed that Debian generally treats multiple different errors as a more general "insecure file creation" issue. For CVE, we haven't figured out how to handle this. - Steve ====================================================== Name: CVE-2008-4406 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4406 Acknowledged: yes bug-report Announced: 20081001 Flaw: link Reference: MLIST:[oss-security] 20081001 CVE id request: sabre Reference: URL:http://openwall.com/lists/oss-security/2008/10/01/1 Reference: CONFIRM:http://bugs.debian.org/433996 A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b allows local users to delete or overwrite arbitrary files via a symlink attack on unspecified .tmp files. Analysis: WIKI: Message #10 in bug 433996 says "delete" whereas oss-security/2008/10/01/1 says "overwriting." WIKI: It is unclear whether ".tmp files" is different from /tmp/sabre.log. ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to "grave," implying acknowledgement. ====================================================== Name: CVE-2008-4407 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4407 Acknowledged: unknown Announced: 20081001 Flaw: other Reference: MISC:http://bugs.debian.org/433996 XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create /tmp/sabre.log, which allows local users to cause a denial of service (application unavailability) by creating a /tmp/sabre.log file that cannot be overwritten. Analysis: INCLUSION: This seems to be a distinct vulnerability, although this type of vulnerability happens to accompany cases of symlink vulnerabilities that involve fixed filenames and unprivileged users. ACKNOWLEDGEMENT: in Debian bug 433996, Nico Golde set the severity to "grave," implying acknowledgement.
Current thread:
- duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre insecure temp file] Steffen Joeris (Oct 04)
- Re: duplicates: CVE-2008-4406 and CVE-2008-4407 [sabre insecure temp file] Steven M. Christey (Oct 07)