Secure testing commits - Aug 2009 - r12530 - data/CVE

Author: nion
Date: 2009-08-09 13:55:11 +0000 (Sun, 09 Aug 2009)
New Revision: 12530

Modified:
   data/CVE/list
Log:
adjust xscreensaver impact, corner case

Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-08-09 13:53:09 UTC (rev 12529)
+++ data/CVE/list	2009-08-09 13:55:11 UTC (rev 12530)
@@ -27,7 +27,7 @@
 CVE-2009-XXXX [gnudips: remote priviledge escalation]
 	- gnudips <unfixed> (medium; bug #539452)
 CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution
video devices]
-	- xscreensaver <unfixed> (high; bug #539699)
+	- xscreensaver <unfixed> (low; bug #539699)
 CVE-2009-XXXX [php5: remote information disclosure]
 	- php5 <unfixed> (medium; bug #540605)
 	TODO: determine affected versions

On Sun,  9 Aug 2009 13:55:11 +0000 Nico Golde wrote:
> Author: nion
> Date: 2009-08-09 13:55:11 +0000 (Sun, 09 Aug 2009)
> New Revision: 12530
> 
> Modified:
>    data/CVE/list
> Log:
> adjust xscreensaver impact, corner case
> 
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2009-08-09 13:53:09 UTC (rev 12529)
> +++ data/CVE/list	2009-08-09 13:55:11 UTC (rev 12530)
> @@ -27,7 +27,7 @@
>  CVE-2009-XXXX [gnudips: remote priviledge escalation]
>  	- gnudips <unfixed> (medium; bug #539452)
>  CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low
resolution video devices]
> -	- xscreensaver <unfixed> (high; bug #539699)
> +	- xscreensaver <unfixed> (low; bug #539699)
>  CVE-2009-XXXX [php5: remote information disclosure]
>  	- php5 <unfixed> (medium; bug #540605)
>  	TODO: determine affected versions
i must respectfully disagree.  from a software point-of-view, yes, this
is a problem with specific corner case for some random special screen
resolution.

however, from an attackers perspective, this kind of weakness is a
goldmine.  simply gain physical access your target (which, yes, may be
the hard part), plug in your misbehaving video device, and you''re in.
its just way too easy.

also from the ''severity levels'' section of the
narrative_introduction:

  high: a typical, exploitable security problem, which you''ll really
  like to fix...

this is very exploitable, and hence should be fixed quickly.  i''d also
like to think of it from a regular user''s perspective. i.e. if this
were to be prominantly discussed in an article or magazine, how much of
a reaction would there be? how much would it concern the readers that
there is a known problem like this with their system that they can do
nothing to prevent?

mike

Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10
06:33]:
> On Sun,  9 Aug 2009 13:55:11 +0000 Nico Golde wrote:
[...] 
> >  CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low
resolution video devices]
> > -	- xscreensaver <unfixed> (high; bug #539699)
> > +	- xscreensaver <unfixed> (low; bug #539699)
> >  CVE-2009-XXXX [php5: remote information disclosure]
> >  	- php5 <unfixed> (medium; bug #540605)
> >  	TODO: determine affected versions
> 
> i must respectfully disagree.  from a software point-of-view, yes, this
> is a problem with specific corner case for some random special screen
> resolution.
> 
> however, from an attackers perspective, this kind of weakness is a
> goldmine.  simply gain physical access your target (which, yes, may be
> the hard part), plug in your misbehaving video device, and you''re
in.
> its just way too easy.
I can''t think of a video device that automagically lowers 
your display resolution just by plugging it in. Besides that 
if an attacker has physical access to the host you are 
almost always screwed anyway.
> also from the ''severity levels'' section of the
narrative_introduction:
> 
>   high: a typical, exploitable security problem, which you''ll
really
>   like to fix...
> 
> this is very exploitable, and hence should be fixed quickly.
Having a high exploitability score (speaking in NVD terms) 
doesn''t mean the impact is high. In this case it doesn''t 
affect almost all users and that''s not what I''d consider 
high. Our notation here is a bit limited but to me high 
implies, easy to exploit, affects a wide range of users and 
from an victim perspective the impact is very high or only 
the latter and the exploitability doesn''t matter (if it''s 
even possible to write that down in a few sentence, even the 
CVSS scores are flawed).
> i''d also like to think of it from a regular user''s
perspective.
> i.e. if this were to be prominantly discussed in an article or 
> magazine, how much of a reaction would there be? how much would it concern
the
> readers that there is a known problem like this with their system that 
> they can do nothing to prevent?
Sorry, I have no idea what else can I say apart from this 
doesn''t affect most of our users.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090810/072d5a79/attachment.pgp>