Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu,  3 Sep 2015 01:11:05 -0400 (EDT)
From: cve-assign@...re.org
To: fw@...eb.enyo.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: screen stack overflow (deep recursion)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Use CVE-2015-6806.

We feel that the CVE inclusion case for this issue might be marginal.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797624#5 says

  Hence this can be used to cause a denial of service attack by
  tricking a user into e.g. displaying a file with "cat" inside screen

For purposes of determining whether a vulnerability exists, we aren't
sure that a user is entitled to use cat on an untrusted file within an
arbitrary terminal-like program, and feel confident that a potentially
unwanted behavior is impossible. Maybe the user should be using
"cat -v" on untrusted files.

For example, suppose that the specific terminal-like program had this
potentially unwanted behavior:

    The font size is changed to something extremely small. The only
    way for the user to recover is to type (not paste) a complex
    fontsize-increase command code, and there is no way for the user
    to see what they are typing.

This might be considered a denial of service by the attacker who
constructs the untrusted file; however, we think it isn't necessarily
a vulnerability. The vendor might believe that this behavior is a bug
(or, conceivably, believe that it isn't a bug), without believing that
it violates any security expectations. There might be a hierarchy of
impacts, e.g.,

 -- executes arbitrary shell commands contained in the untrusted file
    (maybe everyone feels that this violates security expectations)

 -- stack overflow (probably almost everyone feels that this violates
    security expectations)

 -- enables command logging to a mode 0600 file, and in doing that can
    overwrite an existing log file (maybe most people feel that this
    violates security expectations)

 -- enables command logging to a mode 0600 file, and in doing that
    cannot overwrite a file (probably some people feel that this
    violates security expectations)

 -- changes the font size, leading to an inconvenience for the victim
    (possibly few people feel that this violates security
    expectations)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV59XEAAoJEL54rhJi8gl5UOAQALKk4xHSoN22cxkD7OH5KGTX
rYFiL+z0UsHXOP3ZY4HMQss5F7LPawlLcobqsHI0UMPsj08VNizwtO/S0Hqg8NJt
uvm/0DKQB35pinXBueu9hQYw9Le2LHXCOE/whAfDjfXcpxE+YB+HUmLhIC/g59zT
11nL7sGvZZUVdKqcYi0EPsNsZGr5mIHgWJHQgDAGqoZvvPLuKpHV51Q1xC3W5YdO
WSOhbpZcJKYR6l/OT4BNc1ooxDow7KT6KkMRb0xKj3e3QvxuuUZTRjXMfPmsrQiV
dMro5XDQleJBq0paIoFO/3F9coc9YThFzs+iONW/TRT7pV8j4LrV5/KNqHES/WmZ
6OKvFbnzEloqa0fO5zhFH3zqk1W7pKpoo5HirsmFz3jj/MUKUFQU/Gp3TpHqRtpF
CxJlCjw1wNn5kNpCF5+W/RQ/5AAguDoFeh67/hCY/ZBlCkYuWrCoCJGO+b8UJs2r
GfGfkwMr/z+89WPsqRnsaM71orNjcdoJ6hIQz9Igf+gWmO28HMbCvlNgMU+yQIle
2FHIr7p1WxVKaL9SvuNaZtHi62Z+9cvEe5PCoVu/E6WWXvqZvXFJybSbDV5nZ6pQ
pQZgQnOzmAaEgiZ5QumtFgfGnnsvJ/xNS5FTX8K59WkKD51RIPDJxdl7Gx7TnBcs
6msFm1BHOfC2cV99NVtj
=kMUn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.