Date: Wed, 26 Nov 2014 23:10:32 -0500 (EST) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Canto Feed URL Parsing Command Line Injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Can I get 2013 CVE for Canto feed URL parsing command line injection > vulnerability > > Affected versions: All versions prior to v0.9.0 > > https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca > https://bugs.debian.org/731582 >> If a user starts canto and chooses to go to one URL from one feed, >> canto constructs a sh command line to visit the URL, but it doesn't >> remove metachars. Use CVE-2013-7416. One might also argue that the underlying problem is that doc/configuration in the Canto distribution tells users to enter link_handler lines with " quoting, e.g., link_handler("elinks \"%u\"", text=True) within the user's ~/.canto/conf.py file. This perhaps could have been addressed either by making the %u value safe before conf.py is executed, or by telling the user to add other Python code to conf.py for correct quoting. In other words, 731582 is a valid vulnerability report because the reporter is using a quoting approach that exactly matches the vendor's recommendation. This is not a site-specific report about an error in one user's ~/.canto/conf.py file. 2817869f98c54975f31e2dd674c1aefa70749cca adds an shlex.quote call -- shlex.quote is found in https://hg.python.org/cpython/file/tip/Lib/shlex.py and has: return "'" + s.replace("'", "'\"'\"'") + "'" - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdqKMAAoJEKllVAevmvms5vgH/jHWLqrfRdv2IO5lgR+MN7sg 95/nlpMv1zQrWFhSExCAIJLVJy4bIAF8SpxjQnTdcJQQlB2ffdni4LK0sD4q2amW H3xBz5Gf41uNuieZI+PclDSkNr7u1ZsL+4MM5Ye2I5t04Wdm4u2XjQL3Ct5WAvUM h7yMuQXmdKti9NDIDDf1PXQvmDGlNDoidvZC8v/M1oPsHOuWNfYM6euFC4repFc6 d3IBPb8tPAi8ZxZoSMMEbxDcX5OAzmCxjeaFt3JJy8lB1s4lYoS2YLlSkUI5f2kq jgCkxYNnSKO4HCXpl4aioG11PG1vLVsbwzZ141y+8vQygIIGz+4KBmSt/E+GzrM= =mC0o -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.