[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2010-05-20 16:26:26
Message-ID: 4BF562B2.3060107 () redhat ! com
[Download RAW message or body]
Hi Steve,
this is due:
a, [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1974
This is duplicate CVE identifier for the Perl Safe.pm module flaw,
CVE-2010-1168 identifier has been originally assigned to:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1168
b, [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1447
The description of this incorrectly states, it's PostgreSQL issue, but the true
source code base, responsible for this deficiency is Perl's Safe.pm
implementation. The source of this confusion is:
[4] http://www.postgresql.org/about/news.1203
Attached are advisories from my original posts to vendor-sec channel for all four issues:
i, CVE-2010-1168 Perl's Safe.pm 2.25 and below deficiency, when handling
implicit methods:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=576508#c0
ii, CVE-2010-1169 PostgreSQL's PL/Perl deficiency, present due dependency / use of
Perl's Safe.pm extension module:
[6] https://bugzilla.redhat.com/show_bug.cgi?id=582615#c0
iii, CVE-2010-1170 PostgreSQL's PL/Tcl deficiency by handling autoload():
[7] https://bugzilla.redhat.com/show_bug.cgi?id=583072#c0
iv, CVE-2010-1447 Perl's Safe.pm 2.27 and below deficiency (see attached archive for
more information)
[8] https://bugzilla.redhat.com/show_bug.cgi?id=588269#c0
Flaw history:
1, Red Hat Security Response Team has been notified on 2010-03-18 with the details
of this issue. Later CVE-2010-1168 has been assigned to this (but in that moment
wasn't aware Rafael did already pseudo-published flaw details on his blog:
[9] http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
2, Later Tim Bunce identified similar deficiency in PostgreSQL's PL/Perl implementation.
CVE-2010-1169 identifier has been assigned to this:
[10] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1169
3, Later Tom Lane identified similar deficiency in PostgreSQL's PL/Tcl implementation -- this
is what CVE-2010-1170 has been assigned for:
[11] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1170
4, And finally, Tim Bunce and Rafael Garcia-Suarez recognized a yet another deficiency
in Perl's Safe.pm implementation, allowing to bypass the Perl's Safe compartment constrains,
by evaluation of unsafe code, returning returning references to subroutines, whose truly
execution was delayed to happen later, outside of the Safe compartment.
[12] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1447
Have checked today with Tim, there isn't any new perl Safe.pm extension module issue (besides CVE-2010-1168
and CVE-2010-1447 cases), which would desire a new CVE id (CVE-2010-1974 is dupe of CVE-2010-1168).
Steve, could you please:
a, reject CVE-2010-1974 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1974) as a duplicate
CVE identifier for CVE-2010-1168 and,
b, update description of CVE-2010-1447 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1447)
so it would reflect the true reason of the flaw, it was originally assigned for.
Hope this clarification is sufficient. In case of any doubt / need of further background information,
related with above four issues, please ask.
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: Re-sending the message again, this time without patches, as first time the post exceeded the
limit for maximum size of the msg accepted by OSS mailer. Apologize to people in the Cc-list
for the unintended spam :(.
["CVE-2010-1168-advisory.txt" (text/plain)]
Perl Safe extension module background:
======================================
The Safe extension module allows the creation of compartments
in which Perl code can be evaluated. Each compartment has:
* a new namespace
The "root" of the namespace (i.e. "main::") is changed to
a different package and code evaluated in the compartment cannot
refer to variables outside this namespace, even with run-time glob
lookups and other tricks.
* an operator mask
Each compartment has an associated "operator mask". Code evaluated
in a compartment compiles subject to the compartment's operator mask.
Attempting to evaluate code in a compartment which contains a masked
operator will cause the compilation to fail with an error. The code
will not be executed.
CVE-2010-1168 flaw:
==================
Safe.pm 2.24 and earlier, when used in Perl 5.10.0 and earlier,
may allow attackers to break out of safe compartment in (1) Safe::reval
or (2) Safe::rdo using (implicit) references to Perl objects in code,
compiled and executed within compartment.
If a victim was tricked into running a specially-crafted Perl
script, using Safe extension module, it could lead to unauthorized
access to protected information or, execution of arbitrary Perl code,
which was intended to be prohibited.
Credit:
=======
Nick Cleaton
CVE: CVE identifier of CVE-2010-1168 has been assigned to this flaw.
====
Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17
Please do not publicly mention / discuss the information
provided in this advisory prior to that date.
This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.
Affected Perl versions:
=======================
Issue tested && confirmed in Perl of versions v5.8.x up to v5.10.x,
where version of Safe module extension is <= v2.24.
Patch / Solution:
=================
Upgrade to Perl Safe module extension v2.25 or higher.
Perl CPAN modules, which have Safe extension module as dependency (from Tim Bunce):
===================================================================================
Config-Scoped, Eval-Context, Workflow, Games-Perlwar, SNMP-Trapinfo, YAML-Logic,
Locale-TextDomain-OO, App-CPAN-Testers-Remailer, Colloquy-Data, Graph, Text::MicroMason::Safe.
["CVE-2010-1169-advisory.txt" (text/plain)]
PostgreSQL PL/Perl background:
==============================
PL/Perl is a loadable procedural language that enables
to write PostgreSQL functions in the Perl programming language.
CVE-2010-1169 flaw:
===================
A flaw was found in the way the PostgreSQL server process enforced
permission checks on scripts written in PL/Perl. A remote, authenticated
user, running a specially-crafted PL/Perl script, could use this flaw to
bypass PL/Perl trusted mode restrictions, allowing them to obtain sensitive
information; execute arbitrary Perl scripts; or cause a denial of service
(remove protected, sensitive data).
Credit:
=======
Tim Bunce
CVE: CVE identifier of CVE-2010-1169 has been assigned to this flaw.
====
Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17
Please do not publicly mention / discuss the information
provided in this advisory prior to that date.
This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.
Affected PostgreSQL versions:
=============================
Issue tested && confirmed in PostgreSQL of version v7.3.21 through
to version v9.0alpha4.
Draft patch by Tim Bunce:
========================
See patches/patch-v8.4-stable/pgsql-plperl-CVE-2010-1169-v8.4-draft.patch
Upstream backported patches to older versions of PostgreSQL:
============================================================
See patches/pgsql-rmsafe-CVE-2010-1169-patches.tar.gz.
Please read also patches/README\ --\ IMPORTANT file, as it
contains important upstream information, related with CVE-2010-1169
fix (there are some issues yet, and it's possible the final form
will be slightly different yet).
["CVE-2010-1170-advisory.txt" (text/plain)]
PostgreSQL PL/Tcl background:
==============================
PL/Tcl is a loadable procedural language for the PostgreSQL
database system that enables the Tcl language to be used
to write functions and trigger procedures.
CVE-2010-1170 flaw:
===================
A flaw was found in the way the PostgreSQL server process enforced
permission checks on scripts written in PL/Tcl. A remote, authenticated
user, running a specially-crafted PL/Tcl script, could use this flaw to
bypass PL/Tcl trusted mode restrictions, allowing them to obtain sensitive
information; execute arbitrary Tcl scripts; or cause a denial of service
(remove protected, sensitive data).
Credit:
=======
Tom Lane of Red Hat
CVE: CVE identifier of CVE-2010-1170 has been assigned to this flaw.
====
Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17
Please do not publicly mention / discuss the information
provided in this advisory prior to that date.
This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.
Affected PostgreSQL versions:
=============================
Issue tested && confirmed in PostgreSQL of version v7.3.21 through
to version v9.0alpha4.
Proposed upstream patches (for various PostgreSQL versions):
===========================================================
See patches/pltcl-patches.tar.gz.
["CVE-2010-1447_advisory.txt" (text/plain)]
Perl Safe extension module background:
======================================
The Safe extension module allows the creation of compartments
in which Perl code can be evaluated. Each compartment has:
* a new namespace
The "root" of the namespace (i.e. "main::") is changed to
a different package and code evaluated in the compartment cannot
refer to variables outside this namespace, even with run-time glob
lookups and other tricks.
* an operator mask
Each compartment has an associated "operator mask". Code evaluated
in a compartment compiles subject to the compartment's operator mask.
Attempting to evaluate code in a compartment which contains a masked
operator will cause the compilation to fail with an error. The code
will not be executed.
CVE-2010-1447 flaw:
===================
Safe.pm 2.26 and earlier (except 2.20 through 2.23 if using
a threads-enabled Perl), when used in Perl 5.10.0 and earlier,
may allow attackers to break out of safe compartment in (1) Safe::reval
or (2) Safe::rdo using references to Perl objects in code executed
outside the compartment.
If a victim was tricked into running a specially-crafted Perl
script, using Safe extension module, it could lead to unauthorized
access to protected information or, execution of arbitrary Perl code,
which was intended to be prohibited.
Different vulnerability than CVE-2010-1168.
Credit:
=======
Tim Bunce, Rafaƫl Garcia-Suarez
CVE: CVE identifier of CVE-2010-1447 has been assigned to this flaw.
====
Coordinated Release Date (CRD):
===============================
Monday, 2010-05-17
Please do not publicly mention / discuss the information
provided in this advisory prior to that date.
This may change / be postponed slightly yet, but in that case
we will contact you again with updated CRD.
Affected Perl versions:
=======================
Issue tested && confirmed in Perl of versions v5.8.x up to v5.10.x,
where version of Safe module extension is below 2.27 (except 2.20
through 2.23 if using a threads-enabled perl).
Patch / Solution:
=================
Upgrade to Perl Safe module extension v2.27 or higher.
Perl CPAN modules, which have Safe extension module as dependency (from Tim Bunce):
==================================================================================
Config-Scoped, Eval-Context, Workflow, Games-Perlwar, SNMP-Trapinfo, YAML-Logic,
Locale-TextDomain-OO, App-CPAN-Testers-Remailer, Colloquy-Data, Graph, Text::MicroMason::Safe.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic