On Wed, May 03, 2023 at 02:59:42PM -0500, Carl George wrote: > On Thu, Apr 27, 2023 at 10:20 AM Dave Dykstra via epel-devel > <epel-devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Thu, Apr 27, 2023 at 02:11:46AM -0500, Carl George wrote: ... > > > The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as the > > > NVD CVSS score. Both rate the "privileges required" property as low. > > > From what I can tell that property would be rated high if they > > > considered root privileges to be required. How does apptainer's use > > > of setuid change anything here? > > > > According to the explanation I received from the ext4 kernel developer, > > Red Hat's CVSS rating was incorrect on that property. Without singularity > > or apptainer it does require high privileges to exploit. > > Red Hat's CVSS score breakdown for CVE-2022-1184 is: > > CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H > > You're suggesting that Red Hat's rating should have been higher > because they didn't factor in low privileges, but that is objectively > false because they did score it with low privileges. If they had > scored it for high privileges, that would have dropped the rating down > from 5.5 to 4.4. As DT pointed out, perhaps Red Hat was thinking that low privileges could have been used by automounts of a USB device, but since that requires physical access and there are much easier ways to get privilege escalation with physical access, the only additional capability that would give to a user is a crash, a denial of service. > There is no reason to believe that CVE-2022-1184 > should have been marked as higher impact than it was, and thus I see > no reason to justify the likely duplicate CVE-2023-30549 as high. Now you seem to be missing the point of CVE-2023-30549. I agree that there's no reason to believe that CVE-2022-1184 should have been marked as higher impact than it was, but CVE-2023-30549 is about the extra impact that setuid-root apptainer (prior to 1.1.8) gives to users. It gives any user with a local account write access to the underlying bits of a filesystem, and since the filesystem can be easily corrupted by the user, and since CVE-2022-1184 is a memory corruption bug and not a simple panic, it potentially allows privilege escalation. That's why CVE-2023-30549 is high severity. Dave _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
