Date: Tue, 1 Jul 2008 10:58:16 +0200 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Subject: Re: CVE id request mercurial:Insufficient input validation Hi Steve, * Steven M. Christey <coley@...us.mitre.org> [2008-06-30 21:41]: > Out of curiosity, what attack scenarios exist for this issue? If an > attacker has control over the patch already, then code execution on the > system already seems likely. Or is the impact mostly limited to "compile > farms" and limited-access user accounts? Yes I agree, the attack scenarios are really limited to systems/people blindly importing patches for example if received via mail. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.