![]() |
|
Date: Tue, 9 Sep 2008 19:01:29 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id requests: gmanedit
Hi Steven,
* Steven M. Christey <coley@...us.mitre.org> [2008-09-09 18:12]:
> On Sat, 6 Sep 2008, Steffen Joeris wrote:
>
> > There are two possible buffer overflows in gmanedit. One is via crafted
> > configuration file and the other one via crafted manual page.
> > See the Debian bug report for more information.
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835
>
> Use CVE-2008-3971, which covers the manual page and (if it's
> security-relevant) the configuration page. Even though the source of
> attack is different, the vuln type is the same.
>
> Nico - I don't know the typical usage scenarios for gmanedit, but if the
> design of the configuration file allows the user to define dangerous
> actions (such as their own executable commands), then it's clearly not
> intended for external influence and wouldn't count as a vuln in my book.
> Still would be merged under CVE-2008-3971 if there's a scenario.
I share your opinion here, I'd rather see the COMMANDS thing
as an application bug as a user who doesn't read the
configuration but just uses it could also get owned with a
valid command. The only difference I see is that as far as I
understood the command is only executed after user action
while the configuration value is read without. The manpage
utf-8 conversion is the real vulnerability as it is possible
to exploit a victim by opening a crafted manpage in
gmanedit.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.