[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-15131/xdg-user-dirs as unimportant

Salvatore Bonaccorso carnil at debian.org
Sun Jan 14 16:27:29 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
08ea0a5d by Salvatore Bonaccorso at 2018-01-14T17:26:57+01:00
Mark CVE-2017-15131/xdg-user-dirs as unimportant

Any enforcement of umask at session start could be done e.g. with
pam_umask(8).

Futhermore the CVE seems specific reproducible with Red Hat Enterprise,
but the issue from its idea is still applicable to other systems but
highly dependent on the environment.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -20143,9 +20143,18 @@ CVE-2017-15133
 CVE-2017-15132
 	RESERVED
 CVE-2017-15131 (It was found that system umask policy is not being honored when ...)
-	- xdg-user-dirs <undetermined>
+	- xdg-user-dirs <unfixed> (unimportant)
+	NOTE: The CVE relates that created directories by xdg-user-dirs might not
+	NOTE: respect a system policy for user created files by setting a umask
+	NOTE: system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked
+	NOTE: from Xsession scripts. This can be mitigated by e.g. using pam_umask
+	NOTE: on session start and having it when xdg-user-dirs is executed.
+	NOTE: In Debian xdg-user-dirs starting from 0.15-3 replaces the use of
+	NOTE: /etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop
+	NOTE: file for user-dirs-update primarly to work as well with Wayland
+	NOTE: sessions.
+	NOTE: Enforcements can be achieved e.g. by using pam_umask.
 	NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303
-	TODO: check, possibly fixed in 0.16 upstream (and thus 0.15-3 in Debian) by shipping an autostart file, only problem with wayland?
 CVE-2017-15130
 	RESERVED
 CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces code ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ea0a5dce23d35813a424378b3bd7f54cc97173

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ea0a5dce23d35813a424378b3bd7f54cc97173
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180114/e2195ac6/attachment.html>

More information about the Secure-testing-commits mailing list