oss-sec mailing list archives
RE: CVE request: Debian's package "mysql-server" leaks credential information
From: "Christey, Steven M." <coley () mitre org>
Date: Sun, 9 Jun 2013 22:17:14 +0000
From: Daniel Kahn Gillmor [mailto:dkg () fifthhorseman net] Sent: Saturday, June 08, 2013 1:28 PM To: oss-security () lists openwall com Cc: gremlin () gremlin ru Subject: Re: [oss-security] CVE request: Debian's package "mysql-server" leaks credential information On 06/08/2013 07:00 AM, gremlin () gremlin ru wrote:That's not a security issue, but a misconfigurationI consider this a security bug in the debian package's maintainer scripts: it is a race condition that leaks confidential information to a user who "wins" the race. It is *not* a misconfiguration; it is a bug with security implications.
This is the CVE perspective, as well. Even though "setting permissions and ownership of a file" is clearly a configuration operation, as Kurt said, we do sometimes cover such issues. Looking at the code extract for the installation script in Debian bug 711600, it is clear that debian.cnf is expected to have certain ownership and permissions; this is part of a "security policy" that is specified by the code with the chown/chmod commands, which override the default umask. Due to the race condition, an attacker can violate this policy, which argues strongly for inclusion in CVE. We have maybe 10 to 20 previous CVEs that involve insufficient control of permissions during installation or copies (for example, extracting a lot of files from an archive, or doing a recursive directory copy, and changing the permissions only *after* they have all been extracted.) There has been some past discussion on oss-security about when reliance on a default umask is sufficient for inclusion in CVE or not. See September 2012 discussion about gpg and vim starting at http://www.openwall.com/lists/oss-security/2012/09/21/4 , with my commentary at http://www.openwall.com/lists/oss-security/2012/09/24/9 and Kurt's at http://www.openwall.com/lists/oss-security/2012/09/26/6 . While there aren't any hard-and-fast rules, a file containing private keys or credentials is typically expected to be readable only by the intended user of the program, so creation of a file with insecure permissions due to reliance on a default umask would likely qualify for a CVE. - Steve
Current thread:
- CVE request: Debian's package "mysql-server" leaks credential information vladz (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 08)
- RE: CVE request: Debian's package "mysql-server" leaks credential information Christey, Steven M. (Jun 09)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Florian Weimer (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Henri Salo (Jun 10)