Date: Tue, 18 Mar 2014 10:08:49 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, 741659@...s.debian.org Subject: Re: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The Debian report is about single quotes. On Fedora > (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were > needed. The recent upstream patch: https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp addressed the ' issue using the '\\'' approach. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm has: expanded.replace( QRegExp( "%p" ), "\"" + QString::fromLocal8Bit( item->url() ) + "\"" ); expanded.replace( QRegExp( "%n" ), "\"" + QString::fromLocal8Bit( item->name() ) + "\"" ); As mentioned in the http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted use of " for this type of quoting is a conceptually different problem than attempted use of ' for this type of quoting, even if both attempts are ultimately incorrect. (We did not try to check whether the upstream version made a change from incorrect use of " to incorrect use of ' at some point. This could be considered an incomplete fix.) Use CVE-2014-2527 for the vulnerability involving use of " (as shown in the above calls to expanded.replace). This CVE assignment applies to any upstream code or any Fedora-specific code that has this specific issue. Use CVE-2014-2528 for the vulnerability involving use of ' (as shown in the above https://bitbucket.org commit). If anyone happens to identify a version of the code that does not attempt any type of quoting, a third CVE assignment may be possible. > (And maybe it should be escaping ';' too if not already?) This would typically not be addressed as a separate fix. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTKFLiAAoJEKllVAevmvmsiPkH/30d7kfSQPL2v7AZ0NppcPKx 6TRaR8bren7sEI0t38XJ5CmVwyW9KwqSBf+psnM6ubA9VDafl+izOefRw7GoJNIX w8sz67mBWDkBxyYazfLZJhgItGzjUwj8q222lhQ8maLKLS/iGpqnY5rPBnwVTIq6 5T9I0NWH5LrXRHFatS4JLargtU/jiMAIW+/dim7ymj0MFWk9XSnLI4XboIWROdZq gGQU/NXyRhz1ZGenzpHwNHc9ddVC86TKR/xF1DTg8N1RmuAe6HNXEJSWuYooG9BK 2k99nuBpDsL6TD2L4dSN20prKkIGgCTumRJWO/IvCG3jdZYBrscrjWpFMAIqEGk= =lGmu -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ