Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jul 2014 16:52:10 +0200
From: Tomas Hoger <>
Subject: Re: Re: CVE request - Snoopy incomplete fix for

On Wed, 16 Jul 2014 01:57:27 -0400 (EDT) wrote:

> The information that has been sent so far doesn't determine whether
> there should be one CVE ID or two CVE IDs. A statement of "does still
> allow command injection" would potentially mean two CVE IDs, whereas
> "may still allow command injection" could end up as "does not still
> allow command injection."

The fix applied in Snoopy rev 1.28 was insufficient / incomplete and it
did allow command execution.  There should be 2 CVEs, afaics.

It seems there actually is a longer list of incomplete fixes for this


It seems this allowed the most simple injections:;id;id

Fixed in 2004 via:

This strips double quotes and adds quotes around URI argument.

SEC-Consult SA 20051025-0

This was via curl -H argument value, required use of double quote to
escape double quotes quoting of header argument, and required command in
the host part of the url:";id

Fixed in a similar way the previous one was addressed:

(I guess this is the initial report)

The version of the _httpsrequest quoted there does not use $safer_URI
and hence seems to pre-date the fix from 2004, so it might be the same
issue as the 2002/2004 one.  However, the use of backtick in the
example exploit should have made it work on Snoopy versions with the
above two fixes.`id``id`

Fixed using escapeshellcmd():

Followed by a similar fix for headers few days later, which probably
was not picked up by folks backporting the above commit as the fix for
this CVE:


The above blog post shows how to inject additional command line
arguments for curl and what can be achieved with that.

Fixed using escapeshellarg():

So this should be new 2014 CVE-1.

The above commit reverts rev 1.27 change (I don't dare to guess if that
was intentional or not), and hence for the header / -H case, it changed
curl command line argument injection into direct arbitrary code
injection using backticks as noted for the 2008 issue above.

If you need public reference, there's:

or UPD3 update near the end of the mstrokin's blog post.

I believe this is should get different 2014 CVE-2, because there was
upstream version that was believed to have all issues fixed.

Rather than fixing escaping of header arguments, Snoopy upstream
removed curl code and made Snoopy open SSL connection to https server
directly.  That was done in rev 1.29, that was further corrected in
subsequent commits.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.