Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Nov 2015 18:35:50 +0100
From: Peter Bex <peter@...e-magic.net>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request for path traversal / info leak bug in Spiffy web
 server

On Wed, Nov 18, 2015 at 12:15:41PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html
> 
> > if you are using awful,
> > chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy
> > as HTTP server, your server is vulnerable as well.
> 
> > Spiffy 5.4 eliminates the
> > vulnerability without requiring the fix for the CHICKEN core.
> 
> Use CVE-2015-8235 for the Spiffy vulnerability.

Thank you.

> > The issue with the CHICKEN core procedures has been addressed by
> > edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it
> > is not in any stable release yet.
> > 
> > http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=edd4926bb4f4c97760a0e03b0d0e8210398fe967
> 
> If this is a CHICKEN core vulnerability, it needs a separate CVE ID.
> The description above -- especially the 'supposed to be "atomic"'
> comment -- suggests that the code is unambiguously wrong, but the
> commit message presents the issue differently. Also, it appears that
> introducing '/' characters into strings is a general problem for any
> program that prohibits only '/' characters in user-supplied filenames
> (e.g., because the program, for whatever reason, can only be used on
> UNIX platforms). Is there a rationale for not considering this a
> CHICKEN vulnerability?

I'm not 100% sure, but I think it was not considered to be a
vulnerability as such because, while it's indeed unambiguously wrong,
it doesn't directly present a vulnerability.  It's only, like you say,
when an application prohibits only '/' characters, when this results in
a vulnerability.

I trust your judgement on this, so if this is worth a CVE ID, please
assign one.

Regards,
Peter Bex

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.