oss-sec mailing list archives
Re: CVE request: kernel: a collection of world-writable debugfs bugs
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Sun, 20 Mar 2011 15:45:25 -0400
I don't mean to create unnecessary work, but have you actually confirmed that exposing each of these files as world-writable actually allows a user to cross privilege boundaries? It seems to me that while it's bad practice to create these interfaces as world-writable and should be fixed regardless, unless being able to write to one of these interfaces actually allows a user to do something he shouldn't be able to, it's not a security bug by itself. For example, I've noticed interfaces that are created with world-writable file permissions that don't actually do anything useful when you write to them. Regards, Dan On Sun, Mar 20, 2011 at 9:43 AM, Vasiliy Kulikov <segoon () openwall com> wrote:
Steven, On Wed, Feb 23, 2011 at 16:23 -0500, Josh Bressers wrote:Thanks for the list. I don't have enough CVE ids for this, I've grouped them by type and version for MITRE to assign IDs.Any update on this? Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Current thread:
- CVE request: kernel: a collection of world-writable debugfs bugs Eugene Teo (Feb 22)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Josh Bressers (Feb 22)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Eugene Teo (Feb 22)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Feb 23)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Josh Bressers (Feb 23)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Mar 20)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Dan Rosenberg (Mar 20)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Mar 21)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Eugene Teo (Feb 22)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Josh Bressers (Feb 22)