Date: Thu, 20 Nov 2014 21:35:02 +0000 From: "Mehaffey, John" <John_Mehaffey@...tor.com> To: mancha <mancha1@...o.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> CC: "falonsoe@...hat.com" <falonsoe@...hat.com> Subject: RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified > From: mancha [mancha1@...o.com] > Sent: Thursday, November 20, 2014 11:17 AM > To: oss-security@...ts.openwall.com > Cc: falonsoe@...hat.com > Subject: Re: [oss-security] CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified > > On Thu, Nov 20, 2014 at 11:38:20AM -0500, Francisco Alonso wrote: > > Hello, > > > > It was discovered that the wordexp() function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution > > of a shell for command substitution when the applicaiton did not request it. > > > > Bug report: > > https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2014-7817 > > > > Git commit: > > https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c > > > > References: > > https://bugzilla.redhat.com/show_bug.cgi?id=1157689 > > https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html > > Francisco, thanks for the post. > > After a lightning review of one of my systems, I found the following use > glibc's wordexp: adobe's flash plugin, ardour2, mailx, enca. I've not > looked into which input is under a would-be-attacker's control. > > --mancha alsa-lib is also affected. -mehaf
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.