oss-sec mailing list archives
Re: CVE request: kernel information leak via userspace USB interface
From: Eugene Teo <eugene () redhat com>
Date: Fri, 19 Feb 2010 08:47:50 +0800
On 02/19/2010 12:53 AM, Steven M. Christey wrote:
On Thu, 18 Feb 2010, Marcus Meissner wrote:Are we considering "giving desktop local users unintended rights" a security issue or not?from a CVE purist perspective, if the security model is that "users with physical access should not be able to read portions of kernel memory" then a violation of that is technically a vulnerability, even if the attack complexity is high - assuming that there isn't already some easier way that the attacker can get the same results through legitimate means. Being able to crash the system by plugging in a USB device (for example) is about as easy as the defenestration exploit - i.e. throwing the computer out the window - so in that case I wouldn't view it as a vulnerability. If someone with physical access can read the kernel memory that's being leaked, if don't already own the box, that seems a little more like a vulnerability to me.
Thanks for clarifying! Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 17)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 17)
- Re: CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Steven M. Christey (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Bernhard R. Link (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 17)