Date: Tue, 18 Mar 2014 10:08:49 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, 741659@...s.debian.org Subject: Re: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The Debian report is about single quotes. On Fedora > (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were > needed. The recent upstream patch: https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp addressed the ' issue using the '\\'' approach. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm has: expanded.replace( QRegExp( "%p" ), "\"" + QString::fromLocal8Bit( item->url() ) + "\"" ); expanded.replace( QRegExp( "%n" ), "\"" + QString::fromLocal8Bit( item->name() ) + "\"" ); As mentioned in the http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted use of " for this type of quoting is a conceptually different problem than attempted use of ' for this type of quoting, even if both attempts are ultimately incorrect. (We did not try to check whether the upstream version made a change from incorrect use of " to incorrect use of ' at some point. This could be considered an incomplete fix.) Use CVE-2014-2527 for the vulnerability involving use of " (as shown in the above calls to expanded.replace). This CVE assignment applies to any upstream code or any Fedora-specific code that has this specific issue. Use CVE-2014-2528 for the vulnerability involving use of ' (as shown in the above https://bitbucket.org commit). If anyone happens to identify a version of the code that does not attempt any type of quoting, a third CVE assignment may be possible. > (And maybe it should be escaping ';' too if not already?) This would typically not be addressed as a separate fix. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTKFLiAAoJEKllVAevmvmsiPkH/30d7kfSQPL2v7AZ0NppcPKx 6TRaR8bren7sEI0t38XJ5CmVwyW9KwqSBf+psnM6ubA9VDafl+izOefRw7GoJNIX w8sz67mBWDkBxyYazfLZJhgItGzjUwj8q222lhQ8maLKLS/iGpqnY5rPBnwVTIq6 5T9I0NWH5LrXRHFatS4JLargtU/jiMAIW+/dim7ymj0MFWk9XSnLI4XboIWROdZq gGQU/NXyRhz1ZGenzpHwNHc9ddVC86TKR/xF1DTg8N1RmuAe6HNXEJSWuYooG9BK 2k99nuBpDsL6TD2L4dSN20prKkIGgCTumRJWO/IvCG3jdZYBrscrjWpFMAIqEGk= =lGmu -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.