oss-sec mailing list archives
Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
From: Panu Matilainen <pmatilai () redhat com>
Date: Fri, 4 Jun 2010 07:48:41 +0300 (EEST)
On Thu, 3 Jun 2010, Steven M. Christey wrote:
On Thu, 3 Jun 2010, Josh Bressers wrote:I'm going to give both of these the same CVE id. The issues are very related, and I had look at the CWE guide, they both seem to fall under "CWE-281: Improper Preservation of Permissions" Steve, feel free to overrule me on this one.At a low level of granularity, it can be overkill to distinguish between closely-related flaw types.The factor of concern here is that Red Hat bug 598775 suggests that the first variant was committed to a changeset, but not the second. I can't (quickly) assess whether upstream committed changes for both variants, but if there's only a commit for the first one (and a public release), then maybe we consider these bugs as "almost-but-not-quite the same version" and assign a separate CVE.
The second part about POSIX file capabilities was realized shortly afterwards while thinking of possible other similar cases, and has been fixed too now:
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=4d172a194addc49851e558ea390d3045894e3230To my knowledge no distro actually uses the file capability support in RPM though.
- Panu -
Current thread:
- CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Jan Lieskovsky (Jun 02)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Jan Lieskovsky (Jun 02)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Josh Bressers (Jun 03)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Steven M. Christey (Jun 03)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Panu Matilainen (Jun 03)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Josh Bressers (Jun 03)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Jan Lieskovsky (Jun 02)