Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Nov 2015 12:15:41 -0500 (EST)
From: cve-assign@...re.org
To: peter@...e-magic.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for path traversal / info leak bug in Spiffy web server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html

> if you are using awful,
> chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy
> as HTTP server, your server is vulnerable as well.

> Spiffy 5.4 eliminates the
> vulnerability without requiring the fix for the CHICKEN core.

Use CVE-2015-8235 for the Spiffy vulnerability.


> The unfortunate cause of this is that some CHICKEN core
> procedures are misbehaving: when passed a file that starts with a
> backslash, some path manipulation procedures incorrectly
> *replace* the backslash with a slash. This has the effect of
> injecting a path separator into a path component that was
> supposed to be "atomic". This results in the path component
> being reinterpretated as two components.
> 
> The issue with the CHICKEN core procedures has been addressed by
> edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it
> is not in any stable release yet.
> 
> http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=edd4926bb4f4c97760a0e03b0d0e8210398fe967

If this is a CHICKEN core vulnerability, it needs a separate CVE ID.
The description above -- especially the 'supposed to be "atomic"'
comment -- suggests that the code is unambiguously wrong, but the
commit message presents the issue differently. Also, it appears that
introducing '/' characters into strings is a general problem for any
program that prohibits only '/' characters in user-supplied filenames
(e.g., because the program, for whatever reason, can only be used on
UNIX platforms). Is there a rationale for not considering this a
CHICKEN vulnerability?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWTLHmAAoJEL54rhJi8gl5sVQP/RNAF0urGXCKfGnigPmyHtDK
7hDILbfND4iaMAS+o3avt+Nhfml1MuLMKwRWp31uHaAGnglbIQWp6eMC2JOlSSci
Q3g7QsV4s/x7FMvBXrvv0jLDkxJpL8mtCZ8pah9qXPr5CLr6KZzA499NvoUVlyqb
5c5kL8ERmrm0mmHgRAyt8hcb4Zv6wuzOCGBwmzhVLDe+rx7Nr68WBL1oJdcBzfJE
tYuV4RwF/iqyxfRKa5xxEkirawdiGRMo3D0MRVIyuaJoj70Cmy2pWJjChi0mgGfV
hNLREKlg60e7NXWYdtzAJE9w4KkM/emHdFLth9JNGr9AryLu32VTdqJQ9E9JKiK5
+veMNE4U2TzsKNqUTx1Li2UnogLhSNlO/ZetujG76QC97qBYfrFpiMIntf/kyox1
5IrhOAjZohUoH07Rm0bF6HXiVvteOvJg9NJAymFc7GdAZJvYuNfIsV3rFJNl2gHI
ybAVNlNApmuiOXh+umvCzAqUi3flaNev6Xuti98rbqi3aaxutCSwdS7xnWmvSaSy
HDNFVELLcyqSrTAI1P8StFHlV4FR4zJzq30T5N/aGfl+obMmLDpVpNbNVChSzdfU
x2te+gBcM7lZjKM8QOjqogcVSvUUPHQ9cvAtfmjCgH1IGigBmaejtBW1gzELykIp
nqmUX0Ef4QyYg8ylidBx
=u0rD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.