oss-sec mailing list archives
Re: openvswitch world writable directories (CVE-2012-3449)
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 03 Aug 2012 12:04:16 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/03/2012 12:04 AM, Yves-Alexis Perez wrote:
On jeu., 2012-08-02 at 13:08 -0600, Kurt Seifried wrote:Andreas Beckmann debian () abeckmann de reports: openvswitch-pki creates the following world writable directories during installation:[…]Please use CVE-2012-3449 for this issue.I'm unsure if you want to allocate CVEs for all this kind of issues, but Andreas is currently reporting a bunch of bugs for those. See:
If a security boundary is crossed then yup. E.g. you can monkey with the programs log files/config/etc. (cover up attacks/etc.) or possibly crash the program/cause a dos (forcing it to append/process huge files, etc.). Alternatively you can use the directory to stash files (and typically the admin only expects /tmp/, /var/tmp/) and so on.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683649 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683647 and I guess there might be more to come since it's the result of piuparts tests run against the whole archive.
Basically it's a lot like /tmp/ file creation issues. They are low level, rarely fatal, but they are security issues that need to be addressed. I'll do separate emails for them to make tracking easier.
Regards,
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQHBKfAAoJEBYNRVNeJnmT3Z8QALhQ17t1psZCdrxvzW/aaBvx g5cwQEZjZWJkeFq+1GS+RHQ5wdtXdI0x7d5WhK0t4hQFPqcSyvzn+UJV2QFeXH+m F71i0IXt473Wa6G/XdkwQMYpzkF5FIkNHeKJAC4HOg1a3qsu2H8BKHl2fMKT7MDh HuZVOFVqVqZiqe3zNHEXfHbPebeJQEPATtROIncTAbPKXZnbc4Y+i6IEIwXLjZk0 jDm+O16CopmivuLopy8AxT6Z1z18fNigvevOQBjtiHRPR0S1giynV8/CUn5C5cBN BuhaVzYT/FkHE02ayeAEq4NApYdJbvBWGmo5mOg/hmchhVL00qBPeTOFCo1w72QM vxfGKCRHL4Cm1SvQraY+nOwl9sLBpEvSkpFUdrITBpF03muE9KMgo5DnyU5kKf4D 6mBDy+RCBWXMk8wC7tgaUSUJ1qKeW/hO2w/aKwSXkmsK8X3u8NzCS2ezUZva/Nk7 Y4UssGijN8wwQb52//Ab3mximiV3ucHDZlZOmGHNUpVSPrAmW3KES0dJMhyHiGh+ gR0E7lHrf5HA4XTH3/VLee9fWVNcY3D8FmyLEjixDtEGQub/ehiNV9DrZXrun+Jg XYLlzTBIXNeAmWHSnpOsTTGO6KI45SxcJEe0jrcDlhQXv2ygDohiYZxik6jDQeKc kycbiI0+K4QCEKd/7X1v =t7K3 -----END PGP SIGNATURE-----
Current thread:
- openvswitch world writable directories (CVE-2012-3449) Kurt Seifried (Aug 02)
- Re: openvswitch world writable directories (CVE-2012-3449) Yves-Alexis Perez (Aug 02)
- Re: openvswitch world writable directories (CVE-2012-3449) Kurt Seifried (Aug 03)
- Re: openvswitch world writable directories (CVE-2012-3449) Yves-Alexis Perez (Aug 02)