Re: Re: Problems in automatic crash analysis frameworks

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

On 04/16/2015 10:50 AM, cve-assign () mitre org wrote:
> > IMO two CVEs are required:
>
> > "Various symlink flaws in abrt" and "Various race conditions in abrt"
>
> For purposes of CVE, a set of vulnerabilities related to symlink
> following normally isn't assigned two CVE IDs solely because some of
> the symlink attacks depend on a race condition, whereas other symlink
> attacks don't depend on a race condition.
>
> The specific exploitation scenario disclosed in raceabrt.c is about
> replacing maps with a symlink to /etc/passwd and then waiting for the
> next line of the code to chown /etc/passwd. This requires symlink
> following, and will have the same CVE ID as other issues that require
> symlink following.
>
> If the only goal of an attacker were to delete the maps file in order
> to cause data loss, then we think that attacker does not need to win a
> race. That attacker can delete the maps file either before or after
> the chown. (It's also conceivable that file deletion, by itself, was
> considered an acceptable risk, and not a valid attack goal.)
>
> However, the text of
> http://openwall.com/lists/oss-security/2015/04/14/4 said "is
> vulnerable to a filesystem race where a user unlinks the file." That's
> why we asked about the possibility of another scenario in which:
>
>   1. The ultimate goal is only to unlink the file.
>   2. Achieving this ultimate goal requires winning a race.
>
> We think there's isn't any such scenario, but we wanted to confirm
> that before doing a CVE mapping. If there isn't any such scenario,
> then the total number of CVE IDs for the whole "Furthermore, Abrt
> suffers" section will be 1.
My previous email, was based on general observation, i really dont have
a preference. Please feel free to assign a CVE, if other issues are
discovered we will let MITRE know.

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team