Re: CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve,

On Tue, 2009-03-31 at 21:12 -0400, Steven M. Christey wrote:
> On Wed, 25 Mar 2009, Jan Lieskovsky wrote:
>
> > 1, zsh Stack-based buffer overflow due improper escaping of the '!' character
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/333722
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492089
>
> This doesn't seem like a vulnerability to me.  It's only executable in
> interactive mode.  If the attacker can already type in commands, then they
> already have the privileges to execute code.

Fair enough.

> > 2, XFree86-xfs / xorg-x11-xfs Unsafe usage of temporary file
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/xfs/+bug/299560
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107
> >    https://bugzilla.novell.com/show_bug.cgi?id=408006
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492098
>
> Is this a regression of CVE-2007-3103 (DEBIAN:DSA-1342) or is there
> something else going on here?

Yeah, this is CVE-2007-3103.

> > 3, screen: Unsafe usage of temporary file
> >    References:
> >    https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> >    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> >    https://bugzilla.redhat.com/show_bug.cgi?id=492104
>
> CVE-2009-1214 - world-readable permissions
> CVE-2009-1215 - symlink following

Thanks.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> - Steve
>
> ======================================================
> Name: CVE-2009-1214
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1214
> Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
> Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
> Reference: MISC:http://savannah.gnu.org/bugs/?25296
> Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104
>
> GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
> world-readable permissions, which might allow local users to obtain
> sensitive session information.
>
>
> ======================================================
> Name: CVE-2009-1215
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1215
> Reference: MLIST:[oss-security] 20090325 CVE request -- zsh, XFree86-xfs/xorg-x11-xfs, screen
> Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/25/7
> Reference: MISC:http://savannah.gnu.org/bugs/?25296
> Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123
> Reference: CONFIRM:https://bugs.launchpad.net/ubuntu/+source/screen/+bug/315993
> Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=492104
>
> Race condition in GNU screen 4.0.3 allows local users to create or
> overwrite arbitrary files via a symlink attack on the
> /tmp/screen-exchange temporary file.