oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Problems in automatic crash analysis frameworks

From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 16 Apr 2015 09:52:20 +0530
On 04/16/2015 09:34 AM, cve-assign () mitre org wrote:


As far as we can tell, the other issues in the "Furthermore, Abrt
suffers" section of
http://openwall.com/lists/oss-security/2015/04/14/4 are about an
attacker who must create a symlink as part of an attack with a goal of
making the collected crash data include unintended (and possibly
private) information. We currently think that a single CVE ID can be
used for all of them.




IMO two CVEs are required:

"Various symlink flaws in abrt" and "Various race conditions in abrt"

I am not sure if the exploit used one or both of these issues to achieve
privesc, but both of these issues exists, are security flaws and may
have varied impact. (Maybe not easy to exploit?)

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
Previous By Date Next
Previous By Thread Next

Current thread: