oss-sec mailing list archives
Re: Re: CVE Request -- fwknop 2.0.3: Multiple security issues
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 19 Sep 2012 19:11:08 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2012 03:26 PM, Michael Rash wrote:
On Sep 19, 2012, Jan Lieskovsky wrote:Hello Kurt, Steve, vendors, multiple securit issues have been corrected in 2.0.3 upstream version of fwknop (http://www.cipherdyne.org/blog/categories/software-releases.html):
- ---------------------------------------------------------------------------
1) multiple DoS / code execution flaws: Upstream patch: [1] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22
2) server did not properly validate allow IP addresses from malicious
authenticated clients Upstream patch: [2] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799
3) strict filesystem permissions for various fwknop files are not verified
4) local buffer overflow in --last processing with a maliciously constructed ~/.fwknop.run file Upstream patch: [3] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc
For the remaining ones:
======================= 5) several conditions in which the server did not properly throw out maliciously constructed variables in the access.conf file Upstream patch: [4] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e2c0ac4821773eb335e36ad6cd35830b8d97c75a
Note: This doesn't look like a security flaw (previously possible to provide malicious values
to access.conf file, but I assume it would required administrator privileges). 6) [test suite] Added a new fuzzing capability to ensure proper server-side input validation. Note: Test-suite add-on, no CVE needed. 7) Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local and install-exec-hook stages in Makefile.am. Upstream patch: [5] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=c5b229c5c87657197b0c814ff22127d870b55753 Note: Also doesn't look like a fix for a security flaw. Could you allocate CVE ids for issues 1), 2), 3), and 4) ? [Cc-ed Damien and Michael from fwknop upstream to confirm they {the first four} should receive a CVE identifier].I would say that the first four should receive CVE identifiers, yes. For 5), it could be a security issue in older versions of fwknop if the umask at install time was permissive enough to allow non-admin users to modify the access.conf file, but this is unlikely I think so probably doesn't deserve a CVE identifier.
I will be doing the CVE assignments in a bit (need to check up on these) but as far as access to config files due to bad umask, that's a configuration problem that doesn't deserve a CVE in this instance (and in most instances).
Thanks,
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQWm0sAAoJEBYNRVNeJnmT3JMP/0yrgcn2A9uSN23JDxzbwdCa R5pS/umjjxagwPNEt5BheLVQkKb8BUU2ly9Q6Vrz8mIOfz5td0xP7QGJYsZ4NGSA M/s9pR96fjaGR2NQhxEqu6udpWdHcfVRWHzVVbtWxhIfskP7IBauMotMNeZnDAqD zPFwj4UsX6HNznRwxY7O6V20bOs5+/dwI2H0N9YLKiVghEK9eTjh/4usLYjKvufy 8p+Hqxeq8LRDh4Y32pSKGK8YQEtuqsXd6pKEPV3gT6qLi3wAnd5gfzYFphL2o5/2 pzTtWQ8Jh2VfqIOeHp53xdvHV2nhh6T1njHOLDEgVi6/24n3kRPNXomFeymoLDZw exl9HBB91QInW2/R9COl4WHvOwSOeAu12o99PytjhmtLzJ/D7CWQw0M1ZwVdPBL6 ahQeNNgHOUtzx0pGoQSFKUDKBX+aW0ktcOHeYfucMEj0n6+u7gfpBiMuo19a+wuc uI/4M7A1/dNRW829Zet+fUOGj28nFqLwKaymIWP47rVSqUKmSDKUHlCjN4OBp0Ky LpS4ne0ggccXg2LxFpQIDXtOQyB1BlOxmz0C6hrV0XySLSNSgFG5l2R3RMF5v3fq u3g9l1EA40U3irtdeI1VvgdX50/qG0KEd/ZABuYDwjP/wGVgz0OjeKvVPb3THmEt dgCSkWB2agBxqrFn9oek =gKL9 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- fwknop 2.0.3: Multiple security issues Jan Lieskovsky (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)
- Re: Re: CVE Request -- fwknop 2.0.3: Multiple security issues Kurt Seifried (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Kurt Seifried (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)