Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jul 2014 17:02:04 +1000
From: Garth Mollett <gmollett@...hat.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796

Sorry, I should have been more clear in my request.

This is the original fix for CVE-2008-4796:
http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.26&r2=1.27

Note using escapeshellcmd instead of escapeshellarg and still allows
injection of params to to curl.

This was then updated to this:
http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.27&r2=1.28

Looking at the changes starting around line 927 (in 1.28)
escapeshellcmd($URI) is replaced with escapeshellarg($URI) however the
code handling $cmdline_params is changed to this:

$safer_header = strtr($headers[$curr_header], "\"", " ");
$cmdline_params .= " -H \"" . $safer_header . "\"";
[..]
$cmdline_params .= " -d \"$body\"";
exec($this->curl_path . " -k -D \"$headerfile\"" . $cmdline_params . " "
. escapeshellarg($URI), $results, $return);

Which by my reading still allows command injection.

Then, starting from revision 1.29 through 1.33 this code is all removed
and replaced with native php instead of calling curl.

I am not at all involved with this project nor do I have any kind of
extra insight on this. Sorry if my original email was misleading or
confusing.

Please let me know if there is anything else I can do in order clarify
if a CVE assignment is needed for this or not.

On 07/16/2014 03:57 PM, cve-assign@...re.org wrote:
> The information that has been sent so far doesn't determine whether
> there should be one CVE ID or two CVE IDs. A statement of "does still
> allow command injection" would potentially mean two CVE IDs, whereas
> "may still allow command injection" could end up as "does not still
> allow command injection."
> 
> The original CVE request was on July 9, and implied that watching
> http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log
> was of interest because a second security fix might be announced there
> "shortly." However, that view=log page was last updated on July 8. We
> will continue to check that view=log page from time to time.
> 
> 



Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ