Re: connman heads up / CVE requests

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 07:59 AM, Sebastian Krahmer wrote:
> Hi,
>
> Thanks for disassembling my mail :)
>
>
> > 1) Conman doesn't check for the origin of netlink messages (from
> > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4)
> >
> > with patches: [1a] 
> > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=c1b968984212b46bea1330f5ae029507b9bfded9
[1b]
> > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=b0ec6eb4466acc57a9ea8be52c17b674b6ea0618
>
> >
> Yes.

Please use CVE-2012-2320 for this issue.

> > 2) Check hostname validity prior setting the hostname in
> > loopback plug-in: (from
> > https://bugzilla.novell.com/show_bug.cgi?id=715172#c4)
> >
> > with patches: [2a] 
> > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=26ace5c59f790bce0f1988b88874c6f2c480fd5a
[2b]
> > http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=a5f540db7354b76bcabd0a05d8eb8ba2bff4e911
>
> >
> Yes. The severity of this is quite high, its a default remote root
> exploit, as connman is requesting hostname per dhcp by default and
> not checking for shell escapes. (I did not check whether they clean
> any other strings that could appear and could contain newlines etc.
> when its written to a config file)

Please use CVE-2012-2321 for this issue.


> > 3) DHCPv6 option parsing vulnerable to DoS (endless loop): (from
> > https://bugzilla.novell.com/show_bug.cgi?id=715172#c9)
> >
> > with patches: There doesn't seem to be upstream patches for this
> > yet.
>
> I think its this: 
> http://lists.connman.net/pipermail/connman/2012-May/009473.html

Please use CVE-2012-2322 for this issue.


> > 4) Check vpnc options for validity prior saving them: (from
> > https://bugzilla.novell.com/show_bug.cgi?id=715172#c10):
>
> AFAIK there is no patch for it yet. Upstream needs to
> verify/confirm these, but I think its a real bug that lets you
> overwrite files.

I will wait until this is confirmed, when it is please reply to the list.

> Sebastian


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPp/BsAAoJEBYNRVNeJnmT28EP/1GoRdI2u2LyKTe0xbxy5ZZb
j0+XJaUz80TC7tOf0RuVpZOe9U3dympabOHCtLM+9o0DzqAgE/erVHxIA+8UPHeY
IURc3/ABN5Na/SgUd1WbPTGmxbRq9cShkZf32R9Qzw6dNf6aQ3hAPmlSNlJu9O2O
76REIWD83b11GYmjj9RwX5ARvybzy+/4RMI6MUXFd8Tz+PmKKh3nHzRnBUC85iYv
bbsk5UnLGC9ISlJ9ytiAEDvGlt64dOGrUkVY9Cj5XwxUA01Qzi94SeF7XmEvPy4i
q+Uk7Pp4ZTB57IDHtXcTtjvKQGpE3SonRx7mT6LE/Asbg8+6iQIS+biyq/jh8VmB
a2cbQQm52pgCqSVCmWgtn6qGdGUPFXYpBsQ1xv8SAcOqXBrXor7PYulVcM+cly65
X8s0GKIpp3sw9rsdHy3aZW04FRSe3ij/TKvjHsxx43652nPExrB3GdAJNXsvdvzP
WrJ2TR9F52DSsSucPdsVAWtrAE0QTlISYhRvx1T6RSmY9/xFobzl76alidsrHSMQ
KcGmr7kJTwOwfyZDe1B4lx2dXyAdt4rA1w/W8rY3uhGDDbI1REGvaviz3NivqLox
4qBkNxLkHiDZceTF3guKisQp3ElKKQ4jRvvyHk37XcgXgNswun5d7/2gFxT9KI00
U4Cvy8m7wuN4wcfkJ8ZA
=h+ql
-----END PGP SIGNATURE-----