Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Tue, 9 Sep 2008 19:01:29 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id requests: gmanedit

Hi Steven,
* Steven M. Christey <coley@...us.mitre.org> [2008-09-09 18:12]:
> On Sat, 6 Sep 2008, Steffen Joeris wrote:
> 
> > There are two possible buffer overflows in gmanedit. One is via crafted
> > configuration file and the other one via crafted manual page.
> > See the Debian bug report for more information.
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835
> 
> Use CVE-2008-3971, which covers the manual page and (if it's
> security-relevant) the configuration page.  Even though the source of
> attack is different, the vuln type is the same.
> 
> Nico - I don't know the typical usage scenarios for gmanedit, but if the
> design of the configuration file allows the user to define dangerous
> actions (such as their own executable commands), then it's clearly not
> intended for external influence and wouldn't count as a vuln in my book.
> Still would be merged under CVE-2008-3971 if there's a scenario.

I share your opinion here, I'd rather see the COMMANDS thing 
as an application bug as a user who doesn't read the 
configuration but just uses it could also get owned with a 
valid command. The only difference I see is that as far as I 
understood the command is only executed after user action 
while the configuration value is read without. The manpage 
utf-8 conversion is the real vulnerability as it is possible 
to exploit a victim by opening a crafted manpage in 
gmanedit.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ