Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150523154340.83C436C000E@smtpvmsrv1.mitre.org>
Date: Sat, 23 May 2015 11:43:40 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: QEMU 2.3.0 tmp vulns CVE request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> So some suspicious looking tmp usage in qemu ...

> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking ...

We do not know of any further discussion of this, so it seems
best to assign a CVE ID only for the net/slirp.c issue in
the slirp_smb function:

>     snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>              (long)getpid(), instance++);
>     if (mkdir(s->smb_dir, 0700) < 0) {
>         error_report("could not create samba server dir '%s'", s->smb_dir);
>         return -1;

The simplest attack would be a DoS in which someone creates
/tmp/qemu-smb.*-* files to prevent the legitimate creation of
s->smb_dir (mkdir will not follow a symlink).

Use CVE-2015-4037.

Michael Tokarev commented on most of the other issues. For
/tmp/pci.ids in niclist.pl (apparently maintained at
https://git.ipxe.org/ipxe.git/blob/HEAD:/src/util/niclist.pl), the
question is whether there's a requirement for a script of this type to
be within the scope of CVE. As far as we can tell, niclist.pl is not
executed in any default or configurable use of the product, and the
documentation doesn't mention executing it. Of course, some people do
execute it (it is sometimes mentioned in the product's forum such as
on the http://forum.ipxe.org/printthread.php?tid=6813 page). If
someone needs a CVE mapping to track the use of /tmp/pci.ids, please
specify what vulnerabilities exist. For example, if niclist.pl runs
"wget -O /tmp/pci.ids" and this follows a symlink from /tmp/pci.ids,
is this best considered a vulnerability in iPXE rather than a
vulnerability in wget? If /tmp/pci.ids is a plain file owned by
someone else, and isn't overwritten by niclist.pl, then is there an
XSS issue in format_nic_list_html?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVYJ+cAAoJEKllVAevmvmsvcMIAMP1KWPYdFTbDYN+CJfxmVWR
MUwwcLyV43n59bmihGKIG+K+kD+4SNEegRbph9NEtN/XJ8DjDPzdMrcIx6rIkwDR
+tgUewL6Er2+KPFUSLNozne9GDTqaQJDsD4FZsLmX/m+30Wd9DP2PCWwHWatKb9M
NerlWH03BFBKqV22bAA3EA2aBuCHt+QJODQrMvGt9m/DYVk/XFn21k6SE0qWiwlY
G+U06txLjxQ/KENG4Nro/6geYPZJMGUlFbLwcX87YVen9gRrEIcTlzdJjRRNz9DS
jXH1IdGhxVVya/CPNTS224/y7J2nKvfVpSe3GQM3eFUQFahkFFzb9GVDc2ZEAXI=
=LNB0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.