Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Mar 2014 10:08:49 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com,
        741659@...s.debian.org
Subject: Re: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The Debian report is about single quotes. On Fedora
> (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were
> needed.

The recent upstream patch:

  https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

addressed the ' issue using the '\\'' approach.

http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm
has:

    expanded.replace( QRegExp( "%p" ),
                      "\"" + QString::fromLocal8Bit( item->url() )  + "\"" );
    expanded.replace( QRegExp( "%n" ),
                      "\"" + QString::fromLocal8Bit( item->name() ) + "\"" );

As mentioned in the
http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted
use of " for this type of quoting is a conceptually different problem
than attempted use of ' for this type of quoting, even if both
attempts are ultimately incorrect.

(We did not try to check whether the upstream version made a change
from incorrect use of " to incorrect use of ' at some point. This
could be considered an incomplete fix.)

Use CVE-2014-2527 for the vulnerability involving use of " (as shown
in the above calls to expanded.replace). This CVE assignment applies
to any upstream code or any Fedora-specific code that has this
specific issue.

Use CVE-2014-2528 for the vulnerability involving use of ' (as shown
in the above https://bitbucket.org commit).

If anyone happens to identify a version of the code that does not
attempt any type of quoting, a third CVE assignment may be possible.

> (And maybe it should be escaping ';' too if not already?)

This would typically not be addressed as a separate fix.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTKFLiAAoJEKllVAevmvmsiPkH/30d7kfSQPL2v7AZ0NppcPKx
6TRaR8bren7sEI0t38XJ5CmVwyW9KwqSBf+psnM6ubA9VDafl+izOefRw7GoJNIX
w8sz67mBWDkBxyYazfLZJhgItGzjUwj8q222lhQ8maLKLS/iGpqnY5rPBnwVTIq6
5T9I0NWH5LrXRHFatS4JLargtU/jiMAIW+/dim7ymj0MFWk9XSnLI4XboIWROdZq
gGQU/NXyRhz1ZGenzpHwNHc9ddVC86TKR/xF1DTg8N1RmuAe6HNXEJSWuYooG9BK
2k99nuBpDsL6TD2L4dSN20prKkIGgCTumRJWO/IvCG3jdZYBrscrjWpFMAIqEGk=
=lGmu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.