Re: CVE Request coreutils

[Sebastian Krahmer <krahmer () suse de>]

On Tue, Jan 22, 2013 at 08:47:46AM -0700, Vincent Danen wrote:
> * [2013-01-22 08:25:23 +0100] Sebastian Krahmer wrote:
>
> > Generally, I see your point. However sometimes services running as
> > root 'sort' or 'uniq' user input e.g. via grepping logfiles etc,
> > so there is indeed a real chance to indirectly trigger a privilege
> > escalation. The past shows that segfaults can be turned into a
> > code exec often. Its a stack overflow after all.
>
> Do you believe this would be the case with modern GCC/Glibc hardening
> though?  Wouldn't this just be rendered a crash?

Are you serious? And since when will CVE's not be assigned because
some mitigation could possibly prevent a stack overflow being turned
into code exec?

> But even then, if we're talking about logfiles (which is a reasonable
> case) you'd have to be allowing user-controlled input to your logs,
> which would mean you'd have another problem.

You mean like 'logger -t sshd failed login attempt' ?


> I'm also assuming, based on the comments in the first bug, that you need
> a really large line (not just an entire file, but one line).  How likely
> is it that you would be grepping a log file with ~10MB of data on one
> line?

Not very common indeed, but I think its not the point (logfiles were
just _one_ example).

Nevertheless, you seem to shift your arguments. For each reason/attack vector
I answer, you bring up two new reasons why this not an issue.

At the end, I did not spot the bug; if the majority thinks its not worth
a CVE, I can live with it. It would just have made tracking easier.


regards,
Sebastian

PS: Reminds me to the one-year dbus discussion where everyone told me that
this can never be a problem.

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team