oss-sec mailing list archives
Re: Upcoming security release of fish 2.1.1
From: cve-assign () mitre org
Date: Fri, 23 May 2014 14:21:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://openwall.com/lists/oss-security/2014/05/06/3
First, we should mention that a single CVE ID cannot be used for a set of related issues that have different affected versions. For the earlier message that mentioned CVE-2014-2906 and CVE-2014-2914, approximately two more CVE IDs will be needed. We will send those later.
CVE-2014-2906: fish temporary file creation vulnerable to race condition leading to privilege escalation Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files, allowing privilege escalation to those of any user running fish, including root. Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive), fish will read data using the psub function from these temporary files, meaning that the input of commands used with the psub function is under the control of the attacker.
This actually needs two CVE IDs because there are two affected functions, with different sets of affected versions. (For example, there is a psub vulnerability in version 1.22.0, but there is no funced vulnerability in 1.22.0 because funced didn't yet exist.) For the psub vulnerability, please continue to use CVE-2014-2906. For the funced vulnerability, please use CVE-2014-3856.
fish version 2.1.1 restricts incoming connections to localhost only. At this stage, users should avoid running fish_config on systems where there are untrusted local users, as they are still able to connect to the fish_config service and elevate their privileges to those of the user running fish_config.
At present, we're not assigning an additional CVE ID for this "local users ... elevate their privileges" issue. Our interpretation is that you're not trying to make an announcement that 2.1.1 is a vulnerable version. Instead, you're trying to document the machine environment on which fish_config in 2.1.1 can be safely used (i.e., machines with untrusted local users are not fully supported for fish_config at the moment). If you actually wanted a CVE ID for versions 2.1.1 and earlier, referring to the fish_config attack by local users, please let us know. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTf5E1AAoJEKllVAevmvmsNNgH/RtEQqNw/fO8nSASDKJpOUpM WAcq4mfHZ6nYfg2RkTSM++LSRQ0WRozU4/qzgXDwPDkE3mW7Dg2Y3Vjjse2eQUkg rqGkJ7L6RoIpciixXqRMtYx8M9GWBKJWjkye7jcmrqoDGhXOP4rxfeHQanlzGsr4 UyefbVhX7AtwTYvm+5yzuCsNDzC/Enc2VtZmbIaq1/V6dlJD0dy4VaxPERL+4juP jXSMajJ8+v4IOTrbcvWSYkGUSrH0D2jCAba7nLF+jT55vfpQRPI0lmi67/BVbfBD hN3Tu8cviJv1XSNzGZc71XlwZm3qe10tO0oFmh4KgFxe/Tu+tnQIGnADPqEW4n0= =hj0E -----END PGP SIGNATURE-----
Current thread:
- Upcoming security release of fish 2.1.1 David Adam (Apr 28)
- Re: Upcoming security release of fish 2.1.1 David Adam (Apr 28)
- Re: Upcoming security release of fish 2.1.1 cve-assign (May 06)
- Re: Upcoming security release of fish 2.1.1 cve-assign (May 23)
- Re: Upcoming security release of fish 2.1.1 cve-assign (May 06)
- Re: Upcoming security release of fish 2.1.1 David Adam (Apr 28)