Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 9 Sep 2008 19:01:29 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id requests: gmanedit

Hi Steven,
* Steven M. Christey <coley@...us.mitre.org> [2008-09-09 18:12]:
> On Sat, 6 Sep 2008, Steffen Joeris wrote:
> 
> > There are two possible buffer overflows in gmanedit. One is via crafted
> > configuration file and the other one via crafted manual page.
> > See the Debian bug report for more information.
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835
> 
> Use CVE-2008-3971, which covers the manual page and (if it's
> security-relevant) the configuration page.  Even though the source of
> attack is different, the vuln type is the same.
> 
> Nico - I don't know the typical usage scenarios for gmanedit, but if the
> design of the configuration file allows the user to define dangerous
> actions (such as their own executable commands), then it's clearly not
> intended for external influence and wouldn't count as a vuln in my book.
> Still would be merged under CVE-2008-3971 if there's a scenario.

I share your opinion here, I'd rather see the COMMANDS thing 
as an application bug as a user who doesn't read the 
configuration but just uses it could also get owned with a 
valid command. The only difference I see is that as far as I 
understood the command is only executed after user action 
while the configuration value is read without. The manpage 
utf-8 conversion is the real vulnerability as it is possible 
to exploit a victim by opening a crafted manpage in 
gmanedit.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ