Date: Wed, 16 Jul 2014 17:02:04 +1000 From: Garth Mollett <gmollett@...hat.com> To: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Sorry, I should have been more clear in my request. This is the original fix for CVE-2008-4796: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.26&r2=1.27 Note using escapeshellcmd instead of escapeshellarg and still allows injection of params to to curl. This was then updated to this: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.27&r2=1.28 Looking at the changes starting around line 927 (in 1.28) escapeshellcmd($URI) is replaced with escapeshellarg($URI) however the code handling $cmdline_params is changed to this: $safer_header = strtr($headers[$curr_header], "\"", " "); $cmdline_params .= " -H \"" . $safer_header . "\""; [..] $cmdline_params .= " -d \"$body\""; exec($this->curl_path . " -k -D \"$headerfile\"" . $cmdline_params . " " . escapeshellarg($URI), $results, $return); Which by my reading still allows command injection. Then, starting from revision 1.29 through 1.33 this code is all removed and replaced with native php instead of calling curl. I am not at all involved with this project nor do I have any kind of extra insight on this. Sorry if my original email was misleading or confusing. Please let me know if there is anything else I can do in order clarify if a CVE assignment is needed for this or not. On 07/16/2014 03:57 PM, cve-assign@...re.org wrote: > The information that has been sent so far doesn't determine whether > there should be one CVE ID or two CVE IDs. A statement of "does still > allow command injection" would potentially mean two CVE IDs, whereas > "may still allow command injection" could end up as "does not still > allow command injection." > > The original CVE request was on July 9, and implied that watching > http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log > was of interest because a second security fix might be announced there > "shortly." However, that view=log page was last updated on July 8. We > will continue to check that view=log page from time to time. > > [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ