Date: Tue, 28 Feb 2012 23:44:07 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status On Tue, Feb 28, 2012 at 06:56:52PM +0100, Jan Lieskovsky wrote: > Hello Kurt, Steve, Marcus, vendors, > > a security flaw was found in the way osc, the Python language based > command > line client for the openSUSE build service, displayed build logs and build > status for particular build. A rogue repository server could use this flaw > to > modify window's title, or possibly execute arbitrary commands or overwrite > files via a specially-crafted build log or build status output containing an > escape sequence for a terminal emulator. > > References: >  https://bugzilla.novell.com/show_bug.cgi?id=749335 >  https://bugzilla.redhat.com/show_bug.cgi?id=798353 > > I need to conclude, I don't know how OBS repositories work (if there is a > chance > of a rogue server being present). In any case, this issue is on the border > (pretty unlikely someone could alter content of OBS package during build -- > in that case there would be more urgent issues than just particular terminal > window title change). > > But strictly taken, the trust boundary is crossed in the moment, someone > would schedule OBS build and wouldn't expect the build log / status can > perform terminal "side" effect yet. > > Marcus, please correct me if you don't agree this should get a CVE > identifier. > > If no one having objections and request appropriate, could you allocate one? I am not fully convinced it needs a CVE. It basically boils down to the old "logfile with content that might be controlled by an attacker pasted raw to a terminal" issue. There is some more control on the person who builds a specific package what is output thant there usually is in logfiles though. A rogue server is unlikely, however a malicious packager could echo "bad escape code" in his build and then ask for help on our IRC channels or mailinglists with package Y on project X. (anyone can create an account and build packages ... and asking for help is not uncommon) e.g. with "look at logfile with: 'osc buildlog home:user foopackage standard i586'.) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ