oss-sec mailing list archives
Re: CVE Request -- fwknop 2.0.3: Multiple security issues
From: Michael Rash <mbr () cipherdyne org>
Date: Wed, 19 Sep 2012 17:26:59 -0400
On Sep 19, 2012, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, multiple securit issues have been corrected in 2.0.3 upstream version of fwknop (http://www.cipherdyne.org/blog/categories/software-releases.html): --------------------------------------------------------------------------- 1) multiple DoS / code execution flaws: Upstream patch: [1] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22 2) server did not properly validate allow IP addresses from malicious authenticated clients Upstream patch: [2] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799 3) strict filesystem permissions for various fwknop files are not verified 4) local buffer overflow in --last processing with a maliciously constructed ~/.fwknop.run file Upstream patch: [3] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc For the remaining ones: ======================= 5) several conditions in which the server did not properly throw out maliciously constructed variables in the access.conf file Upstream patch: [4] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e2c0ac4821773eb335e36ad6cd35830b8d97c75a Note: This doesn't look like a security flaw (previously possible to provide malicious values to access.conf file, but I assume it would required administrator privileges). 6) [test suite] Added a new fuzzing capability to ensure proper server-side input validation. Note: Test-suite add-on, no CVE needed. 7) Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local and install-exec-hook stages in Makefile.am. Upstream patch: [5] http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=c5b229c5c87657197b0c814ff22127d870b55753 Note: Also doesn't look like a fix for a security flaw. Could you allocate CVE ids for issues 1), 2), 3), and 4) ? [Cc-ed Damien and Michael from fwknop upstream to confirm they {the first four} should receive a CVE identifier].
I would say that the first four should receive CVE identifiers, yes. For 5), it could be a security issue in older versions of fwknop if the umask at install time was permissive enough to allow non-admin users to modify the access.conf file, but this is unlikely I think so probably doesn't deserve a CVE identifier. Thanks, -- Michael Rash http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- fwknop 2.0.3: Multiple security issues Jan Lieskovsky (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)
- Re: Re: CVE Request -- fwknop 2.0.3: Multiple security issues Kurt Seifried (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Kurt Seifried (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)
- Re: CVE Request -- fwknop 2.0.3: Multiple security issues Michael Rash (Sep 19)