oss-sec mailing list archives
Re: CVE request: sudo TZ issue
From: cve-assign () mitre org
Date: Thu, 12 Feb 2015 12:27:21 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your February 9 message said "CVE request," your February 11 message didn't withdraw the request, and you mentioned that 'the promise that commands be started with a "safe" environment' is an intended property of sudo. That's sufficient for a CVE; use CVE-2014-9680.
There are really two issues here: exposure of TZ parsing bugs and access to arbitrary (potentially user-controlled) files. I'm happy to put the blame for TZ parsing bugs on libc or the application. However, there is no real way for the application to tell that it is being run by an unprivileged user and that operations that would otherwise be safe (opening a user-specified time zone file) may be dangerous.
The scope of CVE-2014-9680 is limited to the undesired ability of an attacker to trigger an open call for a pathname outside the zoneinfo directory (whether this is done with an absolute pathname or a relative pathname). The scope of CVE-2014-9680 does not include blocking other types of invalid or potentially malicious TZ values. For example:
It is longer than the value of PATH_MAX.
It seems simple to envision a program for which a length of PATH_MAX-2 triggers a buffer overflow. Even if such a program were known, we wouldn't want to assign a CVE ID to sudo on the basis that PATH_MAX-2 isn't blocked.
http://openwall.com/lists/oss-security/2014/10/15/24
Procmail is another program that recklessly whitelists TZ
Use CVE-2014-9681 for the similar issue in procmail. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU3OIQAAoJEKllVAevmvms/M0H+QGrI9RHIuVe3o1srcyy7fSx qKl/T8hMjXLp5dliRa2MlTCHFqzpzuT/v+xeAk7u7HIRTyfo8eKqO5PJZANCTG3m 0dlBICOjLx3ne3QyP+2DSJM+iSh0Z5Qz2vpUKz05Ry0jSzEY/cF/t7NBPEo0f0pw CDMK/BxMVbhYHZnRs4MmCU0hPG2w0q/aa4I45rVJilB3z+sF1IDClw/uJWu3ZAMi ysAb278nfhMVzAklvzdwb2jpjk41orPPXY6XRGL2lsIEbZ+CFDPJs6mEW8q1oYxJ BE3nxsblJ543Y2KGkGVXXxg485H4FBhMkBL/znFmzPkHUKeTh3wl271d3krpbJU= =bEKj -----END PGP SIGNATURE-----
Current thread:
- CVE request: sudo TZ issue Todd C. Miller (Feb 09)
- <Possible follow-ups>
- Re: CVE request: sudo TZ issue Florian Weimer (Feb 10)
- Re: CVE request: sudo TZ issue Todd C. Miller (Feb 10)
- Re: CVE request: sudo TZ issue cve-assign (Feb 10)
- Re: Re: CVE request: sudo TZ issue Florian Weimer (Feb 11)
- Re: CVE request: sudo TZ issue cve-assign (Feb 12)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 11)
- Re: Re: CVE request: sudo TZ issue Rich Felker (Feb 12)
- Re: Re: CVE request: sudo TZ issue Simon McVittie (Feb 13)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 13)