oss-sec mailing list archives

Re: CVE request: kernel: a collection of world-writable debugfs bugs

From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Sun, 20 Mar 2011 15:45:25 -0400

I don't mean to create unnecessary work, but have you actually
confirmed that exposing each of these files as world-writable actually
allows a user to cross privilege boundaries?  It seems to me that
while it's bad practice to create these interfaces as world-writable
and should be fixed regardless, unless being able to write to one of
these interfaces actually allows a user to do something he shouldn't
be able to, it's not a security bug by itself.  For example, I've
noticed interfaces that are created with world-writable file
permissions that don't actually do anything useful when you write to
them.

Regards,
Dan

On Sun, Mar 20, 2011 at 9:43 AM, Vasiliy Kulikov <segoon () openwall com> wrote:

Steven,

On Wed, Feb 23, 2011 at 16:23 -0500, Josh Bressers wrote:

Thanks for the list. I don't have enough CVE ids for this, I've grouped
them by type and version for MITRE to assign IDs.


Any update on this?


Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Current thread:

CVE request: kernel: a collection of world-writable debugfs bugs Eugene Teo (Feb 22)
- Re: CVE request: kernel: a collection of world-writable debugfs bugs Josh Bressers (Feb 22)
  - Re: CVE request: kernel: a collection of world-writable debugfs bugs Eugene Teo (Feb 22)
    - Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Feb 23)
    - Re: CVE request: kernel: a collection of world-writable debugfs bugs Josh Bressers (Feb 23)
    - Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Mar 20)
    - Re: CVE request: kernel: a collection of world-writable debugfs bugs Dan Rosenberg (Mar 20)
    - Re: CVE request: kernel: a collection of world-writable debugfs bugs Vasiliy Kulikov (Mar 21)