mailing list archives
RE: CVE request: Debian's package "mysql-server" leaks credential information
From: "Christey, Steven M." <coley () mitre org>
Date: Sun, 9 Jun 2013 22:17:14 +0000
From: Daniel Kahn Gillmor [mailto:dkg () fifthhorseman net]
Sent: Saturday, June 08, 2013 1:28 PM
To: oss-security () lists openwall com
Cc: gremlin () gremlin ru
Subject: Re: [oss-security] CVE request: Debian's package "mysql-server"
leaks credential information
On 06/08/2013 07:00 AM, gremlin () gremlin ru wrote:
That's not a security issue, but a misconfiguration
I consider this a security bug in the debian package's maintainer
scripts: it is a race condition that leaks confidential information to a
user who "wins" the race. It is *not* a misconfiguration; it is a bug
with security implications.
This is the CVE perspective, as well. Even though "setting permissions and ownership of a file" is clearly a
configuration operation, as Kurt said, we do sometimes cover such issues.
Looking at the code extract for the installation script in Debian bug 711600, it is clear that debian.cnf is expected
to have certain ownership and permissions; this is part of a "security policy" that is specified by the code with the
chown/chmod commands, which override the default umask. Due to the race condition, an attacker can violate this
policy, which argues strongly for inclusion in CVE. We have maybe 10 to 20 previous CVEs that involve insufficient
control of permissions during installation or copies (for example, extracting a lot of files from an archive, or doing
a recursive directory copy, and changing the permissions only *after* they have all been extracted.)
There has been some past discussion on oss-security about when reliance on a default umask is sufficient for inclusion
in CVE or not. See September 2012 discussion about gpg and vim starting at
http://www.openwall.com/lists/oss-security/2012/09/21/4 , with my commentary at
http://www.openwall.com/lists/oss-security/2012/09/24/9 and Kurt's at
http://www.openwall.com/lists/oss-security/2012/09/26/6 . While there aren't any hard-and-fast rules, a file
containing private keys or credentials is typically expected to be readable only by the intended user of the program,
so creation of a file with insecure permissions due to reliance on a default umask would likely qualify for a CVE.
Re: CVE request: Debian's package "mysql-server" leaks credential information Daniel Kahn Gillmor (Jun 08)
Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 09)