|
|
Date: Tue, 9 Sep 2008 19:01:29 +0200 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Subject: Re: CVE id requests: gmanedit Hi Steven, * Steven M. Christey <coley@...us.mitre.org> [2008-09-09 18:12]: > On Sat, 6 Sep 2008, Steffen Joeris wrote: > > > There are two possible buffer overflows in gmanedit. One is via crafted > > configuration file and the other one via crafted manual page. > > See the Debian bug report for more information. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835 > > Use CVE-2008-3971, which covers the manual page and (if it's > security-relevant) the configuration page. Even though the source of > attack is different, the vuln type is the same. > > Nico - I don't know the typical usage scenarios for gmanedit, but if the > design of the configuration file allows the user to define dangerous > actions (such as their own executable commands), then it's clearly not > intended for external influence and wouldn't count as a vuln in my book. > Still would be merged under CVE-2008-3971 if there's a scenario. I share your opinion here, I'd rather see the COMMANDS thing as an application bug as a user who doesn't read the configuration but just uses it could also get owned with a valid command. The only difference I see is that as far as I understood the command is only executed after user action while the configuration value is read without. The manpage utf-8 conversion is the real vulnerability as it is possible to exploit a victim by opening a crafted manpage in gmanedit. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.