Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 26 Nov 2014 23:10:32 -0500 (EST)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Canto Feed URL Parsing Command Line Injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Can I get 2013 CVE for Canto feed URL parsing command line injection
> vulnerability
> 
> Affected versions: All versions prior to v0.9.0
> 
> https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca
> https://bugs.debian.org/731582

>> If a user starts canto and chooses to go to one URL from one feed,
>> canto constructs a sh command line to visit the URL, but it doesn't
>> remove metachars.

Use CVE-2013-7416.

One might also argue that the underlying problem is that
doc/configuration in the Canto distribution tells users to enter
link_handler lines with " quoting, e.g.,

  link_handler("elinks \"%u\"", text=True)

within the user's ~/.canto/conf.py file. This perhaps could have been
addressed either by making the %u value safe before conf.py is
executed, or by telling the user to add other Python code to conf.py
for correct quoting.

In other words, 731582 is a valid vulnerability report because the
reporter is using a quoting approach that exactly matches the vendor's
recommendation. This is not a site-specific report about an error in
one user's ~/.canto/conf.py file.

2817869f98c54975f31e2dd674c1aefa70749cca adds an shlex.quote call --
shlex.quote is found in
https://hg.python.org/cpython/file/tip/Lib/shlex.py and has:

   return "'" + s.replace("'", "'\"'\"'") + "'"

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdqKMAAoJEKllVAevmvms5vgH/jHWLqrfRdv2IO5lgR+MN7sg
95/nlpMv1zQrWFhSExCAIJLVJy4bIAF8SpxjQnTdcJQQlB2ffdni4LK0sD4q2amW
H3xBz5Gf41uNuieZI+PclDSkNr7u1ZsL+4MM5Ye2I5t04Wdm4u2XjQL3Ct5WAvUM
h7yMuQXmdKti9NDIDDf1PXQvmDGlNDoidvZC8v/M1oPsHOuWNfYM6euFC4repFc6
d3IBPb8tPAi8ZxZoSMMEbxDcX5OAzmCxjeaFt3JJy8lB1s4lYoS2YLlSkUI5f2kq
jgCkxYNnSKO4HCXpl4aioG11PG1vLVsbwzZ141y+8vQygIIGz+4KBmSt/E+GzrM=
=mC0o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.