Update CVE-2013-4391.yml

cves/systemd/CVE-2013-4391.yml

@@ -19,14 +19,14 @@ curated_instructions: |
   This will enable additional editorial checks on this file to make sure you
   fill everything out properly. If you are a student, we cannot accept your work
   as finished unless curated is properly updated.
-curation_level: 0
+curation_level: 1
 reported_instructions: |
   What date was the vulnerability reported to the security team? Look at the
   security bulletins and bug reports. It is not necessarily the same day that
   the CVE was created.  Leave blank if no date is given.
 
   Please enter your date in YYYY-MM-DD format.
-reported_date:
+reported_date: 2012-09-19
 announced_instructions: |
   Was there a date that this vulnerability was announced to the world? You can
   find this in changelogs, blogs, bug reports, or perhaps the CVE date.
@@ -38,7 +38,7 @@ announced_date: 2013-10-28
 published_instructions: |
   Is there a published fix or patch date for this vulnerability?
   Please enter your date in YYYY-MM-DD format.
-published_date:
+published_date: 2013-08-04
 description_instructions: |
   You can get an initial description from the CVE entry on cve.mitre.org. These
   descriptions are a fine start, but they can be kind of jargony.
@@ -55,7 +55,7 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: When the journal data file is processed, the size of the file is not checked. This allows for a file larger than the memory allocated to be placed in a variable. This can cause the overwriting of variables down the stack including the function return address. If the return address is overwritten, after the function ends the program will "resume" at a different location. This process is called Integer/Buffer Overflow, and if exploited results in arbitrary code execution (which is bad). 
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -70,7 +70,7 @@ bugs_instructions: |
 
   For systemd, this is typically their GitHub issues, but could also include
   bugs from other databases. Put a URL instead of a single number.
-bugs: []
+bugs: [https://cgit.freedesktop.org/systemd/systemd/commit/?id=505b6a61c22d5565e9308045c7b9bf79f7d0517e]
 fixes_instructions: |
   Please put the commit hash in "commit" below.
 
@@ -106,7 +106,7 @@ upvotes_instructions: |
   interesting they think this vulnerability is, and you'll add that to the
   upvotes score on your branch.
 upvotes:
-unit_tested:
+unit_tested: 
   question: |
     Were automated unit tests involved in this vulnerability?
     Was the original code unit tested, or not unit tested? Did the fix involve
@@ -120,10 +120,10 @@ unit_tested:
 
     For the fix_answer below, check if the fix for the vulnerability involves
     adding or improving an automated test to ensure this doesn't happen again.
-  code:
-  code_answer:
-  fix:
-  fix_answer:
+  code: 0
+  code_answer: From what I could find in the code base, this code was not unit tested. The code did have a little section that tested everything, but it was very lacking. 
+  fix: 0
+  fix_answer: The fix did not involve adding unit testing.
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -138,10 +138,10 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
+  answer: It was from a developer. The person who submitted the bug fix was Lennart Poettering and his email is "[email protected]". Lennart during the whole project has been extremely active all the way back to 2010 so it's safe to say this was a developer of the project.
+  automated: false
+  contest: false
+  developer: true
 autodiscoverable:
   instructions: |
     Is it plausible that a fully automated tool could have discovered
@@ -158,8 +158,8 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: It's possible that an automated system could have discovered that they iterated over a variable without checking whether it's the correct size. A fuzzer could also test for what sizes the system crashes and potential exploit the buffer overflow.
+  answer: 1
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -176,8 +176,8 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: I couldn't find any specifications that this vulnerability violated.
+  answer: 0
 subsystem:
   question: |
     What subsystems was the mistake in? These are subsystems WITHIN systemd
@@ -206,17 +206,17 @@ subsystem:
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
 
-  name:
-  note:
+  name: journald
+  note: 
 interesting_commits:
   question: |
     Are there any interesting commits between your VCC(s) and fix(es)?
 
     Use this to specify any commits you think are notable in some way, and
     explain why in the note.
   commits:
-  - commit:
-    note:
+  - commit: 0153028ae379eb7c9a463c548ef73ea392c6cdb0
+    note: This is the VCC automatically discovered by archeogit. It found this when the "journal-native.c" files were created by removing their contents from "journal.c".
   - commit:
     note:
 i18n:
@@ -231,8 +231,8 @@ i18n:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: This vulnerability from my understanding did not involve internationalization. This vulnerability was an integer overflow.
 sandbox:
   question: |
     Did this vulnerability violate a sandboxing feature that the system
@@ -246,8 +246,8 @@ sandbox:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: Because of the nature of integer overflows, they allow for the overwriting of data on different parts of the stack. This may include the return address of the function which could allow other code to be executed including malicious code.
 ipc:
   question: |
     Did the feature that this vulnerability affected use inter-process
@@ -258,8 +258,8 @@ ipc:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: This vulnerability is from user input. So I would say no.
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -286,9 +286,9 @@ discussion:
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
 
-  discussed_as_security:
-  any_discussion:
-  note:
+  discussed_as_security: false
+  any_discussion: false
+  note: I didn't find any discussion about this vulnerability.
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -301,8 +301,8 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
-  note:
+  answer: false
+  note: I don't think anyone vouched for anyone else here.
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -316,9 +316,9 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: false
+  stacktrace_with_fix: false
+  note: I could not find any stack traces with this bug report. 
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -337,8 +337,8 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: The check for whether the data exceeded the max size was not checked. Before it would attempt to parse the message and if it was too large it would only report that it failed to parse the message.
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -350,8 +350,8 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: It doesn't involve order of operations because the code was missing a size check on the user input.
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -368,37 +368,37 @@ lessons:
     If you think of another lesson we covered in class that applies here, feel
     free to give it a small name and add one in the same format as these.
   defense_in_depth:
-    applies:
-    note:
+    applies: false
+    note: 
   least_privilege:
-    applies:
-    note:
+    applies: true
+    note: Because this vulnerability allows for the program's privileges to be used to execute arbitrary code. It important that the program has the least privilege it requires to do it's job.
   frameworks_are_optional:
-    applies:
+    applies: false
     note:
   native_wrappers:
-    applies:
+    applies: false
     note:
   distrust_input:
-    applies:
-    note:
+    applies: true
+    note: Trusting that the user wouldn't enter a journal that exceeds the largest size is how the integer was overflown.
   security_by_obscurity:
-    applies:
+    applies: false
     note:
   serial_killer:
-    applies:
+    applies: false
     note:
   environment_variables:
-    applies:
+    applies: false
     note:
   secure_by_default:
-    applies:
+    applies: false
     note:
   yagni:
-    applies:
+    applies: false
     note:
   complex_inputs:
-    applies:
+    applies: false
     note:
 mistakes:
   question: |
@@ -429,7 +429,7 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: The main mistake that caused this vulnerability is a lapse that resulted in checking the size of the journal data file to be skipped. The developer planned for this to exist, they made a global variable called "ENTRY_SIZE_MAX" however they forgot to use it in this part of the function.
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to
@@ -445,10 +445,10 @@ CWE_instructions: |
     CWE: ["123", "456"] # this is ok
     CWE: [123, 456]     # also ok
     CWE: 123            # also ok
-CWE:
-CWE_note:
+CWE: ["190", "680"]
+CWE_note: Integer Overflow or Wraparound and Interger Overflow to Buffer Overflow
 nickname_instructions: |
   A catchy name for this vulnerability that would draw attention it.
   If the report mentions a nickname, use that.
   Must be under 30 characters. Optional.
-nickname:
+nickname: journal-data-overflow