Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 30 Jul 2015 12:32:33 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: A new class of security vulns?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://fedorahosted.org/freeipa/ticket/5153

> assuming there are no actual terminal escape sequences allowed, but just
> backspace characters/etc

> there is an integrity impact (not a very big one mind you)

In this type of situation, the author of the software can choose to
characterize the behavior as a vulnerability, based on their viewpoint
about what type of "integrity" was intended.

In this case, the report says "non-printable characters aren't check
in every case of user data" and "need more string checks for
non-printable characters." That might mean that character-set
restrictions were an intentional protection mechanism, implemented
correctly elsewhere in the product, and the author can definitely have
a viewpoint that the incomplete protection mechanism requires a CVE
ID. If there previously were no character-set restrictions at all, but
the author believes that the original design goal was to have the
user-entered name directly visible to the admin, then again the author
can state that a CVE ID is required, We, of course, discourage anyone
from asserting an original design goal when what they are really doing
is adding an entirely new security feature.

If this type of claim of a vulnerability finding is not originated or
confirmed by the author, it becomes difficult to argue that a CVE ID
is required. Maybe the product was actually intended to store
non-alphabetic names (including the \10\10\10Doe types of names in
5153) in order to support a wide range of personal-identity choices,
perhaps even the symbol of The Artist Formerly Known As Prince.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVulEMAAoJEKllVAevmvmsSyUH/AkZFfJA+27LdMYdZmtFrPfA
oSTJlpN1Q0bSSu9Pzu/L52o7tdfUNFMYmQ1GYuBd85vt7W3am2a3VLo9OaxP8KRa
oOas5zVTMO/63LTOP6sV8kTbwBkzoYR/OZc2XDbQNW0G9KAt3YqV7ReP+gHCMAXP
QLaUwq84gH88mdbiejdUbDdKIBS5PNW9aqEXVFbTTm3zNUTCMnIRa28uEKFjqyza
JlNKrxgxINJ4hvLckgFtdAlhI6WJDtK4Fm2bvK9N9eXoC7jQPWGFZo4pJ4U50HwM
8rvIioJhif7v4Ud/86T3PQzuxCDIGAJfmo3hKOkkeBEg6DvkGhxTFRFVyBqyqCc=
=ezM2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.