[svlug] Restricting privileges

Sarah Newman newmans at sonic.net
Wed Jan 14 18:56:25 PST 2015


Aside from whether this particular bug is a red herring, interest in apparmor had been expressed to
me previously so I wanted to share my research. I also wanted to show how to run a GUI process as a
different user transparently.

To wildly speculate, perhaps the reports are intentionally vague so that exploits are less likely to
be developed until end users have had a chance to update.

Regards, Sarah

On 01/14/2015 06:39 PM, Jesse Monroy wrote:
> Sarah,
> first thank you for bringing this to everyone's attention, but
> personally I see a Red Herring.
> If there is evidence to the contrary, please enlighten me. Otherwise,
> this is what I see:
> 
> I followed the link provided. It links back to Mozilla.org
> 
> https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/
> 
> The description is generic and not helpful. It ends in a very vague:
> """
> and we presume that with enough effort at least some of these could be
> exploited to run arbitrary code.
> """
> 
> It has four reference links. Two (2) go to the mitre.og, Two (2) go to Bugzilla.
> The Mitre descriptions are generic in nature, and they link back the
> nist.org, then that page links to the same Bugzilla links in the
> previous page. So the links to mitre.org are completely useless and
> devoid of an real information.
> 
> If I follow the Bugzilla links I get "Zarro Boogs found." (Yes, humor
> from the bugzilla people)
> https://bugzilla.mozilla.org/buglist.cgi?bug_id=1109889
> 
> So after all this deferencing of links I just do direct search.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1111737
> 
> NOW it says:
> """
> You are not authorized to access bug #1111737. To see this bug, you
> must first log in to an account with the appropriate permissions.
> """"
> 
> So perhaps you'll see my annoyance.
> Jesse
> 




More information about the svlug mailing list