[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] MITRE clarified the scope of CVE-2018-6533 and CVE-2017-16933

Salvatore Bonaccorso carnil at debian.org
Thu Mar 1 19:59:37 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bf7dd7b8 by Salvatore Bonaccorso at 2018-03-01T20:55:53+01:00
MITRE clarified the scope of CVE-2018-6533 and CVE-2017-16933

After querying MITRE a further sentence to the description was added (a
larger issue than CVE-2017-16933). Basically CVE-2017-16933 is for the
unsafe use of chown(1) as found by the original reporter.

In consequence of this original report, upstream started a more general
audit of the product's design, in particular, it was concluded that
using init.conf to support run-time reconfiguration of an account was a
general design flaw. The reasons are not fully explained in any pull
request, but go beyond the behaviour of the cown(1) program, e.g. using
install(1) as well in unsafe manner.

The rationale thus for two CVEs is closely related to "incomplete fix"
or better in practice categorized as an "incompletely identified
problem.".

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -3116,8 +3116,10 @@ CVE-2018-6533 (An issue was discovered in Icinga 2.x through 2.8.1. By editing t
 	- icinga2 <unfixed> (low)
 	[stretch] - icinga2 <no-dsa> (Minor issue)
 	[jessie] - icinga2 <no-dsa> (Minor issue)
-	NOTE: Duplicate of CVE-2017-16933
 	NOTE: https://github.com/Icinga/icinga2/pull/5850
+	NOTE: CVE is related to CVE-2017-16933 but for "the issue in using
+	NOTE: init.conf to support run-time reconfiguration of an account is
+	NOTE: design flaw". CVE-2018-6533 larger issue than CVE-2017-16933.
 CVE-2018-6532 (An issue was discovered in Icinga 2.x through 2.8.1. By sending ...)
 	- icinga2 <unfixed> (low)
 	[stretch] - icinga2 <no-dsa> (Minor issue)
@@ -20596,6 +20598,7 @@ CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a ch
 	[stretch] - icinga2 <no-dsa> (Minor issue)
 	[jessie] - icinga2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Icinga/icinga2/issues/5793
+	NOTE: CVE is for the unsafe use of chown(1)
 CVE-2016-10700 (auth_login.php in Cacti before 1.0.0 allows remote authenticated users ...)
 	- cacti 0.8.8h+ds1-5 (bug #833420)
 	[jessie] - cacti 0.8.8b+dfsg-8+deb8u6



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7dd7b87e34916b3077d6081810685598de7bd1

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7dd7b87e34916b3077d6081810685598de7bd1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180301/cdf89e50/attachment.html>

More information about the Secure-testing-commits mailing list