Re: Re: CVE Request -- fwknop 2.0.3: Multiple security issues

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 03:26 PM, Michael Rash wrote:
> On Sep 19, 2012, Jan Lieskovsky wrote:
>
> > Hello Kurt, Steve, vendors,
> >
> > multiple securit issues have been corrected in 2.0.3 upstream
> > version of fwknop
> > (http://www.cipherdyne.org/blog/categories/software-releases.html):
-
---------------------------------------------------------------------------
> > 1) multiple DoS / code execution flaws: Upstream patch: [1]
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22
2) server did not properly validate allow IP addresses from malicious
> > authenticated clients Upstream patch: [2]
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799
3) strict filesystem permissions for various fwknop files are not verified
> > 4) local buffer overflow in --last processing with a maliciously
> > constructed ~/.fwknop.run file Upstream patch: [3]
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc
For the remaining ones:
> > ======================= 5) several conditions in which the server
> > did not properly throw out maliciously constructed variables in
> > the access.conf file Upstream patch: [4]
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e2c0ac4821773eb335e36ad6cd35830b8d97c75a
Note: This doesn't look like a security flaw (previously possible to
provide malicious values
> > to access.conf file, but I assume it would required administrator
> > privileges).
> >
> > 6) [test suite] Added a new fuzzing capability to ensure proper
> > server-side input validation. Note: Test-suite add-on, no CVE
> > needed.
> >
> > 7) Fixed RPM builds by including the $(DESTDIR) prefix for
> > uninstall-local and install-exec-hook stages in Makefile.am. 
> > Upstream patch: [5]
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=c5b229c5c87657197b0c814ff22127d870b55753
> >
> >  Note: Also doesn't look like a fix for a security flaw.
> >
> > Could you allocate CVE ids for issues 1), 2), 3), and 4) ?
> >
> > [Cc-ed Damien and Michael from fwknop upstream to confirm they
> > {the first four} should receive a CVE identifier].
>
> I would say that the first four should receive CVE identifiers,
> yes. For 5), it could be a security issue in older versions of
> fwknop if the umask at install time was permissive enough to allow
> non-admin users to modify the access.conf file, but this is
> unlikely I think so probably doesn't deserve a CVE identifier.

I will be doing the CVE assignments in a bit (need to check up on
these) but as far as access to config files due to bad umask, that's a
configuration problem that doesn't deserve a CVE in this instance (and
in most instances).

> Thanks,


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQWm0sAAoJEBYNRVNeJnmT3JMP/0yrgcn2A9uSN23JDxzbwdCa
R5pS/umjjxagwPNEt5BheLVQkKb8BUU2ly9Q6Vrz8mIOfz5td0xP7QGJYsZ4NGSA
M/s9pR96fjaGR2NQhxEqu6udpWdHcfVRWHzVVbtWxhIfskP7IBauMotMNeZnDAqD
zPFwj4UsX6HNznRwxY7O6V20bOs5+/dwI2H0N9YLKiVghEK9eTjh/4usLYjKvufy
8p+Hqxeq8LRDh4Y32pSKGK8YQEtuqsXd6pKEPV3gT6qLi3wAnd5gfzYFphL2o5/2
pzTtWQ8Jh2VfqIOeHp53xdvHV2nhh6T1njHOLDEgVi6/24n3kRPNXomFeymoLDZw
exl9HBB91QInW2/R9COl4WHvOwSOeAu12o99PytjhmtLzJ/D7CWQw0M1ZwVdPBL6
ahQeNNgHOUtzx0pGoQSFKUDKBX+aW0ktcOHeYfucMEj0n6+u7gfpBiMuo19a+wuc
uI/4M7A1/dNRW829Zet+fUOGj28nFqLwKaymIWP47rVSqUKmSDKUHlCjN4OBp0Ky
LpS4ne0ggccXg2LxFpQIDXtOQyB1BlOxmz0C6hrV0XySLSNSgFG5l2R3RMF5v3fq
u3g9l1EA40U3irtdeI1VvgdX50/qG0KEd/ZABuYDwjP/wGVgz0OjeKvVPb3THmEt
dgCSkWB2agBxqrFn9oek
=gKL9
-----END PGP SIGNATURE-----