[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] incorrect description for CVE-2010-0412 systemtap flaw
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2010-02-25 18:47:01
Message-ID: 20100225184701.GA2858 () redhat ! com
[Download RAW message or body]

Hi Steve and other vendors.  There is a bit of confusion around the
description of CVE-2010-0412.  This was due to some miscommunication as
to whether or not the full extent of the flaw was public, which is why
I didn't send a message sooner to explain why it was assigned.

> Name: CVE-2010-0412
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0412
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20100127
> Category:
> Reference: MLIST:[scm-commits] 20100215 rpms/systemtap/devel \
>                 systemtap-1.1-tighten-server-params.patch, NONE, 1.1 systemtap.spec, 1.59, \
>                 1.60
> Reference: URL:http://lists.fedoraproject.org/pipermail/scm-commits/2010-February/394714.html
> Reference: FEDORA:FEDORA-2010-1373
> Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html
>                 
> Reference: FEDORA:FEDORA-2010-1720
> Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html
>                 
> Reference: BID:38316
> Reference: URL:http://www.securityfocus.com/bid/38316
> 
> stap-server in SystemTap 1.1 does not properly restrict the value of
> the -B (aka BUILD) option, which allows attackers to have an
> unspecified impact via vectors associated with executing the make
> program, a different vulnerability than CVE-2009-4273.

The original fix for CVE-2009-4273 was incomplete, as noted in the
upstream bug report for the original flaw:

http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c8

This is still the same root flaw as CVE-2009-4273, not a different
vulnerability, so we had assigned CVE-2010-0412 as a "fix for the
incomplete fix of CVE-2009-4273", due to the fact CVE-2009-4273 has this
description:

"stap-server in SystemTap before 1.1 allows remote attackers to execute
arbitrary commands via shell metacharacters in stap command-line
arguments in a request."

The original fix secured only the first link (stap server -> stap), but
the second link (stap -> make) was not fixed.  The -B option is not the
problem so much as an example of the problem.

I think Frank will agree that this is not a new flaw, so the CVE
description should be changed to reflect that.

The -B option is not
the problem so much as an example of the problem.

Upstream's bug report has links to the two patches that solve the
remaining unfixed bits of CVE-2009-4273 (#c10).

Thanks, and my apologies for the confusion on this.

-- 
Vincent Danen / Red Hat Security Response Team 


[prev in list] [next in list] [prev in thread] [next in thread]