Re: openvswitch world writable directories (CVE-2012-3449)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/03/2012 12:04 AM, Yves-Alexis Perez wrote:
> On jeu., 2012-08-02 at 13:08 -0600, Kurt Seifried wrote:
> > Andreas Beckmann debian () abeckmann de reports:
> >
> > openvswitch-pki creates the following world writable directories 
> > during installation:
> […]
>
> > Please use CVE-2012-3449 for this issue.
>
> I'm unsure if you want to allocate CVEs for all this kind of
> issues, but Andreas is currently reporting a bunch of bugs for
> those. See:

If a security boundary is crossed then yup. E.g. you can monkey with
the programs log files/config/etc. (cover up attacks/etc.) or possibly
crash the program/cause a dos (forcing it to append/process huge
files, etc.). Alternatively you can use the directory to stash files
(and typically the admin only expects /tmp/, /var/tmp/) and so on.

> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683649 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683647
>
> and I guess there might be more to come since it's the result of 
> piuparts tests run against the whole archive.

Basically it's a lot like /tmp/ file creation issues. They are low
level, rarely fatal, but they are security issues that need to be
addressed. I'll do separate emails for them to make tracking easier.

> Regards,


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQHBKfAAoJEBYNRVNeJnmT3Z8QALhQ17t1psZCdrxvzW/aaBvx
g5cwQEZjZWJkeFq+1GS+RHQ5wdtXdI0x7d5WhK0t4hQFPqcSyvzn+UJV2QFeXH+m
F71i0IXt473Wa6G/XdkwQMYpzkF5FIkNHeKJAC4HOg1a3qsu2H8BKHl2fMKT7MDh
HuZVOFVqVqZiqe3zNHEXfHbPebeJQEPATtROIncTAbPKXZnbc4Y+i6IEIwXLjZk0
jDm+O16CopmivuLopy8AxT6Z1z18fNigvevOQBjtiHRPR0S1giynV8/CUn5C5cBN
BuhaVzYT/FkHE02ayeAEq4NApYdJbvBWGmo5mOg/hmchhVL00qBPeTOFCo1w72QM
vxfGKCRHL4Cm1SvQraY+nOwl9sLBpEvSkpFUdrITBpF03muE9KMgo5DnyU5kKf4D
6mBDy+RCBWXMk8wC7tgaUSUJ1qKeW/hO2w/aKwSXkmsK8X3u8NzCS2ezUZva/Nk7
Y4UssGijN8wwQb52//Ab3mximiV3ucHDZlZOmGHNUpVSPrAmW3KES0dJMhyHiGh+
gR0E7lHrf5HA4XTH3/VLee9fWVNcY3D8FmyLEjixDtEGQub/ehiNV9DrZXrun+Jg
XYLlzTBIXNeAmWHSnpOsTTGO6KI45SxcJEe0jrcDlhQXv2ygDohiYZxik6jDQeKc
kycbiI0+K4QCEKd/7X1v
=t7K3
-----END PGP SIGNATURE-----