Re: CVE Request: Planeshift buffer overflow

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2012 09:53 PM, Andres Gomez wrote:
> Hi kurt,
>
> The fact that only local user can modify program files doesn't
> mean there is no security risk, there are a lot of examples but
> look at this:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620

That's a very different scenario than this one as I understand it.
TORCS actually has a realistic requirement for using TORCS files
supplied by the user (that are downloaded from remote sites/etc.).

> this is very similar, only local user can modify software files,
> but as defined by Mitre this bug "allows user-assisted remote
> attackers to execute arbitrary code", because an attacker can
> deceive a user to download and use a specially crafted file. I
> accept the fact that "chatbubbles.xml" being a configuration file
> makes it harder to be replaced, but still there is a risk.

In the case of Planeshift the chatbubbles.xml is not supplied by the
user, it comes with the program and is installed into a system
directory. This is very different from the TORCS situation. If you can
convince a user to start replacing system config files than almost
every program needs a CVE by that definition (I can think of a few
hundred programs on Linux that have config files that result in other
programs/script/commands being run that can be easily obfuscated to do
nastiness).

Steven: comments, do you think this needs a CVE?

> Thanks for the feedback,
>
> Andres Gomez

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtd97AAoJEBYNRVNeJnmT1QUP/3/cd2e5yH06fM07eGbLcb2Q
bOo4JsWhkDlkWV3t/Z02Ws6pWqL3349I4yHr79PDQXdoZcCyY2EAm7F7qz/C+DV+
4oCyPidZp/LihIqe4gpKs6Vzlzb9COiD8AlHKpkOKa5myUTVDeWpYgB0UYj/dfnZ
Of527MeK55eVOXzqAgPXFjfutQtRy31ibJ4KikHHHbE8PO+2OqpXZmgp1zgA4nnw
NZffzTe51GYGmFSTBaZlWGNgXN9qBZmevOmVOm577x5pBOOaewo22wFpHt8kf3U7
WrBHSPn5PZ4j4hfNeduss0j6s/Xk/2jlqDIN7vi1Orod9GN+CXo1TV538Z+XjMz5
CsolfvS5zfvfwTR4h9BxNWGuuu4gTSQXLo+uE4MnJhFqIjdEVeP9EY/CvebYipcp
+W9ceKz7v05fsaGe2UauY/QxuJpWKSsBKC77KiAErrqx3j9Wmd/3ENSYoh1wWDii
KJ5iHpxWRVZ19XWlCeOm5XzeeaThNOZZ+fQQx/0V6e9JkVNENc1nnilcV+htUhMj
cgWkLxLR7Bx71ti4kmY1cAPaWXcPzSFHhXcmL/qew66pJri6MawL1KTtzK9d346B
j9NcxjKszVpFrM19i1Q4+qbkYMiPFNOzCH52T362TrlYWGVr0BHNhaO1eK5vFYwr
EnNL8GTA4W/olByNcrBy
=isTV
-----END PGP SIGNATURE-----