Home page logo

oss-sec logo oss-sec mailing list archives

RE: CVE request: Debian's package "mysql-server" leaks credential information
From: "Christey, Steven M." <coley () mitre org>
Date: Sun, 9 Jun 2013 22:17:14 +0000

From: Daniel Kahn Gillmor [mailto:dkg () fifthhorseman net]
Sent: Saturday, June 08, 2013 1:28 PM
To: oss-security () lists openwall com
Cc: gremlin () gremlin ru
Subject: Re: [oss-security] CVE request: Debian's package "mysql-server"
leaks credential information

On 06/08/2013 07:00 AM, gremlin () gremlin ru wrote:

That's not a security issue, but a misconfiguration

I consider this a security bug in the debian package's maintainer
scripts: it is a race condition that leaks confidential information to a
user who "wins" the race.  It is *not* a misconfiguration; it is a bug
with security implications.

This is the CVE perspective, as well.  Even though "setting permissions and ownership of a file" is clearly a 
configuration operation, as Kurt said, we do sometimes cover such issues.

Looking at the code extract for the installation script in Debian bug 711600, it is clear that debian.cnf is expected 
to have certain ownership and permissions; this is part of a "security policy" that is specified by the code with the 
chown/chmod commands, which override the default umask.  Due to the race condition, an attacker can violate this 
policy, which argues strongly for inclusion in CVE.  We have maybe 10 to 20 previous CVEs that involve insufficient 
control of permissions during installation or copies (for example, extracting a lot of files from an archive, or doing 
a recursive directory copy, and changing the permissions only *after* they have all been extracted.)

There has been some past discussion on oss-security about when reliance on a default umask is sufficient for inclusion 
in CVE or not.  See September 2012 discussion about gpg and vim starting at 
http://www.openwall.com/lists/oss-security/2012/09/21/4 , with my commentary at 
http://www.openwall.com/lists/oss-security/2012/09/24/9 and Kurt's at 
http://www.openwall.com/lists/oss-security/2012/09/26/6 .  While there aren't any hard-and-fast rules, a file 
containing private keys or credentials is typically expected to be readable only by the intended user of the program, 
so creation of a file with insecure permissions due to reliance on a default umask would likely qualify for a CVE.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]