Re: CVE request: xcfa: Insecure use of temporary files, subject to race conditions

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/756600

As mentioned in the
http://openwall.com/lists/oss-security/2014/05/06/3 post, the Symlink
Following composite is treated as somewhat of a special case in CVE.
This doesn't, for example, mean that all problematic uses of files in
/tmp are always covered by a single CVE ID.

> > rm /tmp/index.html

> > any existing file called /tmp/index.html will be removed regardless

This may be an issue that is typically treated as a usability problem
(or maybe a documentation problem), not a security problem. The rm
program should remove /tmp/index.html - it should not remove the
target of a /tmp/index.html symlink. (If there is a race condition
within an implementation of rm, that would not be an xcfa
vulnerability.)

Ideally, xcfa would not remove /tmp/index.html because /tmp/index.html
might be an important file unrelated to xcfa. However, there doesn't
seem to be a way to design an "attack" in the traditional sense, and
/tmp/index.html isn't a filename that would be important in typical
cases. For example, if I have a critical file named file.txt~ and a
less important file named file.txt, and I decide to modify file.txt
with emacs, then file.txt~ is overwritten with no warning. This is
typically not considered an emacs vulnerability.

https://bugs.debian.org/756600 covers a number of Symlink Following
issues that allow overwriting files. Use CVE-2014-5254 for all of
these.

> >         fp = fopen ("/tmp/get_infos_dvd.sh", "w");
> >
> >         fprintf (fp, "#!/bin/sh\n");

> >         fclose (fp);
> >         system ("chmod +x /tmp/get_infos_dvd.sh");
> >
> >         system ("/tmp/get_infos_dvd.sh");

This one doesn't seem to be necessarily a Symlink Following issue. At
the instant of the fopen, /tmp/get_infos_dvd.sh might be a plain file
(not a symlink), owned by the attacker but with 0777 permissions. The
fopen/fprintf/fclose would succeed, and the chmod would fail. The
attacker can insert malicious code into /tmp/get_infos_dvd.sh in
between the fclose line and the second system line. Use CVE-2014-5255
for this.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7cM6AAoJEKllVAevmvmsAi4H/3NbVEUpX3DIPvGI/Ac36aOu
X0tzmPmJl4ZzpMpPlL6l6ZissTz7tJPaEhEUfxivdETU8TKaPPmt29oQdAaAC9hl
sBe728+SIxzIX+7JZOt56NDkjdt0/LI4D+8lY/jNY2oJj4gGtYUr8FoeLsiWbavP
QH3yS6+llkzduuU9zExhuobXHt1eokQdF53x1G2EFZYOzDti+eQtCrpZIKWrbrYs
GZhfYAzFgN6+ncE1xi8WkZPxGGd1bOKEso2cD1tHkl65rvOiFPk9RolqeDNpAqyi
nYW67Ah2a3/XQy4VqJbqS+7ospbTZD6B8AVKTBCvm1oQ4FGdxakJW3Pu3FAKWB0=
=BHy4
-----END PGP SIGNATURE-----