[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving ahead

REJECTED can mean "- it is unconfirmed (or not sufficiently
confirmed)"

I have searched many of the usual places, and have not been able to
find a dtappgather DOS attack.  Thus, I am concerned that we will be
unable to distinguish a new bug from this one.

I am familiar with two dtappgather bugs.  One is based on poor
permissions for /var/dt/appconfig/appmanager/ and
/var/dt/appconfig/appmanager/generic-display-0.  The other is based on 
poor checking of the DTUSERSESSION environment variable.  Both allow
the unauthorized chowning of a file to the user who invokes
dtappgather.

I can see using these as DOS attacks only insofar as root can damage
the local machine; these bug are promotion bug only as far as I see.

It may be that CERT has obfuscated the bug with the fact that, in
promotion, DOS attacks were happening.  Perhaps this was incompetent
script kiddies misuing an exploit script.

Does anyone have details of what actually led up to CA-98-02, so that
we can understand the bug?  Is it a matter of removing the DOS
references so that CAN-1999-0014 refers only to promotion?

Adam

On Wed, Jun 16, 1999 at 09:56:53AM -0400, Sheppard,Martin L. wrote:
| Hello all,
| 
| I believe that the comment Adam makes regarding CAN-1999-0014 should
| mean that the description should be modified, not that the candidate
| should be rejected.  Rejected, in my mind, means that there is no
| vulnerability or that another CVE entry covers the vulnerability under
| consideration.   Do I understand the meaning of Rejected and Modify
| correctly?
| 
| later,
| marty.
| 
| Adam Shostack wrote:
| > 
| > Let me just clarify that I meant candidates, not issues.
| > 
| > Further, those candidates which I have not commented on to date I
| > ACCEPT.
| > 
| > Adam
| > 
| > On Tue, Jun 15, 1999 at 09:58:43AM -0400, Adam Shostack wrote:
| > |
| > | We have disagreement on a few issues; I'll suggest that Steve put
| > | those forth one at a time for consideration.  I'll also say that to do
| > | a proper review job, the list was too long; I didn't start it several
| > | times because I wanted to go through it in one go, and thus my
| > | response was delayed.
| > |
| > | In addition, I want to raise three more, now that I've finished
| > | looking into them.
| > |
| > | CAN-1999-0014 we have insufficient data if a new CDE dtappgather bug
| > | comes out to determine if its new or a re-invention. (REJECT)
| > |
| > | CAN-1999-0032 the mention of (lp) is misleading.  The problem was with
| > | the BSD lpr family, not the SYSV lp family.  (MODIFY)
| > |
| > | CAN-1999-0099 the problem was demonstrated publicly through sendmail,
| > | there is no reason to expect it could not be used through another
| > | program.  Suggest phrasing:  "A buffer overflow in syslog which was
| > | demonstrably exploitable via sendmail."  (MODIFY)
| > |
Page Last Updated or Reviewed: May 22, 2007