lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200702232106.l1NL6RnO008144@faron.mitre.org>
Date: Fri, 23 Feb 2007 16:06:27 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: labs@...fense.com, bugtraq@...urityfocus.com
Subject: Re: iDefense Security Advisory 02.22.07: IBM DB2 Universal Database DB2INSTANCE File Creation Vulnerability


A few notes on this advisory and IBM's IY94817.

1) The real IY94817 document (not the stub) requires registration to
   even access in the first place, which is an unfortunate practice
   that too many vendors undertake.  The URL was also broken for some
   time.  Now that I've registered, I *STILL* can't get access to this
   file:

     "IY94817: SECURITY: DB2DIAG.LOG SYMBOLIC LINK OVERWRITE
     VULNERABILITY"

     http://www-1.ibm.com/support/docview.wss?uid=swg1IY94817

   Why is it so difficult just to get some basic security information?
   Security advisories should be easy for the public to access.  A
   sysadmin shouldn't have to register with hundreds of web sites just
   to get good security information.

   This kind of thing happens all the time, unfortunately.

2) Anyway, this document:

     http://www-1.ibm.com/support/docview.wss?uid=swg21255745

   says "The vulnerability allows a local user to write to any file on
   the system through the use of symbolic links (also known as
   symlinks or soft links)."

   According to the document that I can't access, this apparently
   involves some file called DB2DIAG.LOG.

3) But iDefense's advisory says nothing about symlinks.  It talks
   about "file creation" and using DB2INSTANCE to point to an
   attacker-controlled directory, along with insecure umask settings -
   but such features don't necessarily involve symlinks.


So - is there one vulnerability or two?  If there are two - does
IY94817 actually fix the iDefense-reported issue, or does it fix an
unrelated issue?  Finally, I thought that one of the IBM documents
mentioned buffer overflows, but now that I can't access all the
documents, I can't find where this was mentioned.

The reason why I'm asking is this:

>A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has
>not been assigned yet.

We assigned CVE-2007-1027 to IBM's writeup of DB2DIAG.LOG symlink, but
we can't be sure it applies to the iDefense advisory.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ