Date: Tue, 15 Apr 2014 12:36:04 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: cross-site scripting issue fixed in CUPS 1.7.2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > CUPS 1.7.2 ... fixes a cross-site scripting issue > http://www.cups.org/str.php?L4356 > http://www.cups.org/strfiles.php/3268/str4356.patch > http://www.cups.org/blog.php?L717 > https://bugs.mageia.org/show_bug.cgi?id=13196 > the patch may not be sufficient to cover all different encodings, > other special characters of interest etc. > The attached patch updates is_absolute_path() to check for < and quotes > if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) A CVE can be assigned because the patch above does block some XSS attack vectors. Use CVE-2014-2856 for what is addressed by this patch. There weren't any immediate followups here or in L4356 demonstrating how to exploit the patched scheduler/client.c code in a specific test environment. It is quite possible that other CVE assignments will be made later. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTTV86AAoJEKllVAevmvmsoW0H/ijg+KOyofQ2y8V2/AY5amFQ 4+bVg9KcPtyeC6oEMjgx0NAl0UUM3CMQf5q9cWTxA1mkWiFxrfmfavKDwoymxcfl AlMMOibPCBh+moV4jliWY47eiSolTDF4Bv8spOzbFqkcORUnpcNQwwrD6Q+VUOKn DuxZUjvStHJhXa2nStIIqThT24B5KQIcRAxUBLKPPuunmhylUi8/UxRxjX6NdPlN 2EL62B3j4VjusYBxOTeq6glNZaeBCoVc3KG7Mvkm5JC0AVH9vcHejQpG35HGnDvX rD5Q3sbdfhrhJhOEsuYiEAV8e3rHBDxwVYagopf/amaWGOl6/AiwiUIq5mxvIyk= =bcw3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ