Date: Wed, 16 Jul 2014 17:02:04 +1000 From: Garth Mollett <gmollett@...hat.com> To: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Sorry, I should have been more clear in my request. This is the original fix for CVE-2008-4796: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.26&r2=1.27 Note using escapeshellcmd instead of escapeshellarg and still allows injection of params to to curl. This was then updated to this: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.27&r2=1.28 Looking at the changes starting around line 927 (in 1.28) escapeshellcmd($URI) is replaced with escapeshellarg($URI) however the code handling $cmdline_params is changed to this: $safer_header = strtr($headers[$curr_header], "\"", " "); $cmdline_params .= " -H \"" . $safer_header . "\""; [..] $cmdline_params .= " -d \"$body\""; exec($this->curl_path . " -k -D \"$headerfile\"" . $cmdline_params . " " . escapeshellarg($URI), $results, $return); Which by my reading still allows command injection. Then, starting from revision 1.29 through 1.33 this code is all removed and replaced with native php instead of calling curl. I am not at all involved with this project nor do I have any kind of extra insight on this. Sorry if my original email was misleading or confusing. Please let me know if there is anything else I can do in order clarify if a CVE assignment is needed for this or not. On 07/16/2014 03:57 PM, cve-assign@...re.org wrote: > The information that has been sent so far doesn't determine whether > there should be one CVE ID or two CVE IDs. A statement of "does still > allow command injection" would potentially mean two CVE IDs, whereas > "may still allow command injection" could end up as "does not still > allow command injection." > > The original CVE request was on July 9, and implied that watching > http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log > was of interest because a second security fix might be announced there > "shortly." However, that view=log page was last updated on July 8. We > will continue to check that view=log page from time to time. > > Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.