Re: CVE request: enlightenment sysactions

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Red Hat Security suggested I request a CVE here since this potentially
> effects multiple distros/maintainers.

> https://bugzilla.redhat.com/show_bug.cgi?id=1059410

> These aren't security flaws, precisely, due to some of the other
> defaults that Fedora has that other distros/vendors may not, but
> upstream recently did some hardening to the defaults they provide (and
> we don't change) based on Martin Carpenter's report.

No one from another distribution responded with specific details that were
different from this "aren't security flaws, precisely" statement.
So, we will make the CVE assignments on the basis of the original report.

> The Enlightenment window manager (enlightenment.org) was found to ship
> with (a) a setuid root helper that did not effectively sanitize its
> environment and (b) a weak default configuration. Users in select
> groups could exploit this to execute arbitrary programs as root.

> add more environment variables to nuke and add alternate envrionment
> nuke method to raise security level.

>  1. clear out environment as best is possible before executing
>     anything. especially PATH and IFS are set to minimal base defaults.
>     also use clearenv() if available and unsetenv()

Use CVE-2014-1845 for this issue in which the environment isn't
properly restricted.


> 2. remove gdb method as it's just too dangerous. run it as normal as
>    the user and if the kernel / distro dny that - then sorry. too bad.

Use CVE-2014-1846 for this issue in which gdb is available unsafely in
the unpatched codebase.


In this interpretation, "and (b) a weak default configuration. Users
in select groups could exploit this to execute arbitrary programs as
root" means that at least one not-equivalent-to-root user is able to
execute the helper program. In other words, it is not an independent
vulnerability.

A specific Linux distribution might, for example, have an
implementation error in determining who is allowed to execute the
helper program. If anything like that is reported, additional CVE
assignments would be possible.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS7/sjAAoJEKllVAevmvmsEo4H/3HyolVbgVNo1tMqauZkBaNB
lEusuivKLl1J0gn5dpWpFIur1DmQIyceg1cyCghW0IWzJRCK2y4a1OSQw3syQUie
HUY3iHgeogwYBKwFAZfB9+Z+uIN4rgqOFIJJksQEh/02g//f7scVIuG+dY7/eW3T
ZjyaFZzt/UeleHJXD9bXTFSHe0YkEuyGCGSrXptW+q9qZaNSfHZlJ1umH9VWMNN/
sAr4HFQ8n1Dk+fzdYlIL1UpSFaAYq41bm0dzBJr4RNL9VO9xc8mNvwCvmBFtUvMu
qKQ+XbxGl+8gvslLQHC1GV/YbuhzdLOj7yMAvr2aqagmHHiFbK4+tYmqlIn1BKY=
=Ft+z
-----END PGP SIGNATURE-----