Re: CVE request: kernel stack infoleaks

["Steven M. Christey" <coley () linus mitre org>]

On Tue, 2 Nov 2010, Dan Rosenberg wrote:

> And since I've already gotten flack for this comment, I'll add for the 
> sake of clarity: the second item is not a security issue if CAP_NET_RAW 
> is synonymous with root access in your privilege model, as is the case 
> on most systems.

Duly noted, but I have something to say anyway ;-) From a CVE purist 
perspective, successful exploitation gets something more than what you can 
get with CAP_NET_RAW alone, thus there is a violation of the intended 
security model, no matter how small.  One exception that I sometimes 
wonder about is whether you already have chained privileges [1] (e.g. 
where legitimate use of privilege A can automatically get you privilege 
B), but that kind of thing sometimes makes me wonder why there are 2 
separate privileges in the first place.

So, it would be reasonable to have a CVE, even though its severity would 
be knocked way down because of the combination of the minor infoleak and 
requirements for already-high privileges.

I recognize that this approach is probably at odds with many developers 
who have to implement protection mechanisms related to privileges and 
access control.

- Steve



[1] where "privilege" is placeholder for "privilege, capability, access, 
permission, etc., whatever the term is that is used for the particular 
software you have in mind that is an implicit or explicit statement of 
what a particular user or group of users is allowed to do."