Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Feb 2012 23:44:07 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status

On Tue, Feb 28, 2012 at 06:56:52PM +0100, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Marcus, vendors,
> 
>   a security flaw was found in the way osc, the Python language based 
>   command
> line client for the openSUSE build service, displayed build logs and build
> status for particular build. A rogue repository server could use this flaw 
> to
> modify window's title, or possibly execute arbitrary commands or overwrite
> files via a specially-crafted build log or build status output containing an
> escape sequence for a terminal emulator.
> 
> References:
> [1] https://bugzilla.novell.com/show_bug.cgi?id=749335
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=798353
> 
> I need to conclude, I don't know how OBS repositories work (if there is a 
> chance
> of a rogue server being present). In any case, this issue is on the border
> (pretty unlikely someone could alter content of OBS package during build --
> in that case there would be more urgent issues than just particular terminal
> window title change).
> 
> But strictly taken, the trust boundary is crossed in the moment, someone
> would schedule OBS build and wouldn't expect the build log / status can
> perform terminal "side" effect yet.
> 
> Marcus, please correct me if you don't agree this should get a CVE 
> identifier.
> 
> If no one having objections and request appropriate, could you allocate one?

I am not fully convinced it needs a CVE.

It basically boils down to the old "logfile with content that might be controlled
by an attacker pasted raw to a terminal" issue.

There is some more control on the person who builds a specific package what is output
thant there usually is in logfiles though.

A rogue server is unlikely, however a malicious packager could echo "bad escape code"
in his build and then ask for help on our IRC channels or mailinglists with package Y on project X.
(anyone can create an account and build packages ... and asking for help is not uncommon)
e.g. with "look at logfile with: 'osc buildlog home:user foopackage standard i586'.)

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ