[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-15131/xdg-user-dirs as unimportant

Sun, 14 Jan 2018 08:28:25 -0800 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
08ea0a5d by Salvatore Bonaccorso at 2018-01-14T17:26:57+01:00
Mark CVE-2017-15131/xdg-user-dirs as unimportant

Any enforcement of umask at session start could be done e.g. with
pam_umask(8).

Futhermore the CVE seems specific reproducible with Red Hat Enterprise,
but the issue from its idea is still applicable to other systems but
highly dependent on the environment.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -20143,9 +20143,18 @@ CVE-2017-15133
 CVE-2017-15132
        RESERVED
 CVE-2017-15131 (It was found that system umask policy is not being honored 
when ...)
-       - xdg-user-dirs <undetermined>
+       - xdg-user-dirs <unfixed> (unimportant)
+       NOTE: The CVE relates that created directories by xdg-user-dirs might 
not
+       NOTE: respect a system policy for user created files by setting a umask
+       NOTE: system-wide in e.g. /etc/profile due to xdg-user-dirs beeing 
invoked
+       NOTE: from Xsession scripts. This can be mitigated by e.g. using 
pam_umask
+       NOTE: on session start and having it when xdg-user-dirs is executed.
+       NOTE: In Debian xdg-user-dirs starting from 0.15-3 replaces the use of
+       NOTE: /etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart 
.desktop
+       NOTE: file for user-dirs-update primarly to work as well with Wayland
+       NOTE: sessions.
+       NOTE: Enforcements can be achieved e.g. by using pam_umask.
        NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303
-       TODO: check, possibly fixed in 0.16 upstream (and thus 0.15-3 in 
Debian) by shipping an autostart file, only problem with wayland?
 CVE-2017-15130
        RESERVED
 CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces 
code ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ea0a5dce23d35813a424378b3bd7f54cc97173

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ea0a5dce23d35813a424378b3bd7f54cc97173
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to