[VIM] Clarification on resmgr/resmgrd issues

Steven M. Christey coley at mitre.org
Tue May 2 16:56:34 EDT 2006


I just assigned CVE-2006-2147 to handle one of the issues described in
SUSE-SR:2006:004, and DSA-1047.  There was some uncertainty about
whether this was a dupe of other resmgr issues.

Here's a summary, with thanks to Ludwig Nussel of SUSE for giving the
final information.

1) SUSE-SR:2005:022 in October 2005 had:

   CVE-2005-4788 - "alternate syntax"
   CVE-2005-4789 - "class specific exclude rules"

2) SUSE-SR:2006:004 in February 2006 included:

   CVE-2006-2147 (new) - "usb:<bus>,<dev>" notation
   CVE-2005-4789 (same as SUSE-SR:2005:022)) - "class specific exclude rules"


CVE-2005-4788 and CVE-2006-2147 sound similar, but are distinct.

DEBIAN:DSA-1047 is at least addressing CVE-2006-2147, but Debian had
to release it before I got clarification that it was different from
CVE-2005-4788, which is why the CVE is not there.  I don't know if
DSA-1047 addresses the other resmgr issues.

- Steve



======================================================
Name: CVE-2005-4788
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4788
Reference: SUSE:SUSE-SR:2005:022
Reference: URL:http://www.novell.com/linux/security/advisories/2005_22_sr.html
Reference: BID:15037
Reference: URL:http://www.securityfocus.com/bid/15037

resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions,
allows local users to bypass access control rules for USB devices via
"alternate syntax for specifying USB devices."


======================================================
Name: CVE-2005-4789
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4789
Reference: SUSE:SUSE-SR:2005:022
Reference: URL:http://www.novell.com/linux/security/advisories/2005_22_sr.html
Reference: BID:15037
Reference: URL:http://www.securityfocus.com/bid/15037

resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions,
does not properly enforce class-specific exclude rules in some
situations, which allows local users to bypass intended access
restrictions for USB devices that set their class ID at the interface
level.


======================================================
Name: CVE-2006-2147
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2147
Reference: SUSE:SUSE-SR:2006:004
Reference: URL:http://lists.suse.com/archive/suse-security-announce/2006-Feb/0008.html
Reference: DEBIAN:DSA-1047
Reference: URL:http://www.debian.org/security/2006/dsa-1047

resmgrd in resmgr for SUSE Linux and other distributions does not
properly handle when access to a USB device is granted by using
"usb:<bus>,<dev>" notation, which grants access to all USB devices and
allows local users to bypass intended restrictions.  NOTE: this is a
different vulnerability than CVE-2005-4788.




More information about the VIM mailing list