Date: Thu, 01 Mar 2012 22:18:16 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Marcus Meissner <meissner@...e.de>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status On 02/28/2012 03:44 PM, Marcus Meissner wrote: > On Tue, Feb 28, 2012 at 06:56:52PM +0100, Jan Lieskovsky wrote: >> Hello Kurt, Steve, Marcus, vendors, >> >> a security flaw was found in the way osc, the Python language based >> command >> line client for the openSUSE build service, displayed build logs and build >> status for particular build. A rogue repository server could use this flaw >> to >> modify window's title, or possibly execute arbitrary commands or overwrite >> files via a specially-crafted build log or build status output containing an >> escape sequence for a terminal emulator. >> >> References: >>  https://bugzilla.novell.com/show_bug.cgi?id=749335 >>  https://bugzilla.redhat.com/show_bug.cgi?id=798353 >> >> I need to conclude, I don't know how OBS repositories work (if there is a >> chance >> of a rogue server being present). In any case, this issue is on the border >> (pretty unlikely someone could alter content of OBS package during build -- >> in that case there would be more urgent issues than just particular terminal >> window title change). >> >> But strictly taken, the trust boundary is crossed in the moment, someone >> would schedule OBS build and wouldn't expect the build log / status can >> perform terminal "side" effect yet. >> >> Marcus, please correct me if you don't agree this should get a CVE >> identifier. >> >> If no one having objections and request appropriate, could you allocate one? > > I am not fully convinced it needs a CVE. > > It basically boils down to the old "logfile with content that might be controlled > by an attacker pasted raw to a terminal" issue. > > There is some more control on the person who builds a specific package what is output > thant there usually is in logfiles though. > > A rogue server is unlikely, however a malicious packager could echo "bad escape code" > in his build and then ask for help on our IRC channels or mailinglists with package Y on project X. > (anyone can create an account and build packages ... and asking for help is not uncommon) > e.g. with "look at logfile with: 'osc buildlog home:user foopackage standard i586'.) > > Ciao, Marcus Please use CVE-2012-1095 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ