Date: Sun, 9 Feb 2014 16:40:24 -0500 (EST) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > CVE request is still pending. I think we now need two: > 1. Shell injection partly fixed in 0.3.5. > 2. Incomplete fix for shell injection fixed in 0.3.6. We think either 3 or 4 may be a better number of CVEs. First, it seems that the shell_quote function in version 0.3.5 has two fundamentally different problems with different flaw types and different discoverers. The code in question is: elif len(s) >= 2 and (s, s[-1]) == ("'", "'"): result = '"%s"' % s.replace('"', r'\"') The first problem, noted by Florian Weimer, is that this type of attempt to quote ' characters by using " characters is inherently wrong because the " and ' characters are not equivalent in the shell. In his example, the input ends up surrounded by " characters, but the string inside has a $( command substitution, and thus the command will be executed. In other words, using " characters simply cannot work correctly because "$(command)" is unsafe whereas '$(command)' is safe. The second problem, noted by Matthew Daley, is that arbitrary insertion of a \ character into a string is unsafe because it can convert a single command into a list. This is independent of the non-equivalence of " and ' in the shell. In particular, the same list vulnerability can be seen with this 0.3.5 code variant: elif len(s) >= 2 and (s, s[-1]) == ('"', '"'): result = "'%s'" % s.replace("'", r"\'") along with the analogous variant of the Python input. The only difference is that the shell prints a different number of \ characters. In each case, the erroneous \ insertion separates the string into a list of two commands, and the touch command is executed. Specifically, using the original 0.3.5 code: >>> print shell_quote("'\\\"; touch foo #'") "'\\"; touch foo #'" % ls foo ls: cannot access foo: No such file or directory % echo "'\\"; touch foo #'" '\ % ls foo foo Using the above 0.3.5 code variant: >>> print shell_quote('"\\\'; touch foo #"') '"\\'; touch foo #"' % rm foo % ls foo ls: cannot access foo: No such file or directory % echo '"\\'; touch foo #"' "\\ % ls foo foo So, the CVE assignments for these issues are: CVE-2013-7323 Unrestricted use of unquoted strings in a shell, within version 0.3.4 CVE-2014-1927 Erroneous assumptions about the usability of " characters within version 0.3.5, leading to attacks such as $( command substitution within a "-quoted string CVE-2014-1928 Erroneous insertion of a \ character within version 0.3.5, leading to attacks involving command lists (such as lists separated by a ; character) Second, 0.3.5 and 0.3.6 have a series of differences in handling of command-line arguments. This seems to be most likely a reaction to Florian Weimer's observation of "you need to make sure that you prevent option injection through positional arguments." Does anyone believe that option injection was impossible in 0.3.5? If not, we will make a fourth CVE assignment. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS9/R/AAoJEKllVAevmvms2KEIAL8fK5oUKE0AKsgy2yDka8dn uPBgXFVnls9/SIPrX3d+Zc1ouGerBvEQlaTIv+CgN6e9NzH3YTeec9KIVnCvCunf wgaSe0xFzRTWf+qviEpe0vbc9wgz2wmct0qHLoE0i9vsrYhn4x+2+xEoliD38d12 QSNu93KLhZJ1VqQMaROrjKuv1jIkR27yEdf5JLSflBvyu3mxR6dlBByqLOdBbfHG rj4MMJfcwsD6fvWrk22clX2ZLVZsZAUvuSzcuD0kWiCHABcn00DWFYv1cC0plxDI GnlGPeHg5+2lQUVt5QHy/0MYiJ7g4h7gxXeB8w1JH0DL7ASYaF3wDLkdBrrJT8I= =G9KN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ