Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed,  6 Jan 2016 03:25:13 -0500 (EST)
From: cve-assign@...re.org
To: corsac@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for radicale

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/Kozea/Radicale/pull/343
> http://radicale.org/news/#2015-12-31@11:54:03
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809920

>> This fixes a number of issues with dodgy path handling

>> Many improvements in this release are related to security

We do not see a straightforward way to determine the total number of
independent vulnerabilities. For example:

  Paths like .., ../.. or // are not sanitized correctly

  The program crashes if a path doesn't start with base_prefix instead of showing an error message

  On MS Windows the filesystem backend allows access to the first level of files on a drive.

  Improve the regex used for well-known URIs

  Decouple the daemon from its parent environment

  Avoid race condition in PID file creation

are missing information about the attacker and/or the impact.



These might potentially be overlapping observations:

  Paths like .., ../.. or // are not sanitized correctly

  Improve the regex used for well-known URIs

  Prevent crafted HTTP request from calling arbitrary functions

  Improve URI sanitation and conversion to filesystem path

  

For now, we will start with two CVE IDs for the change information that
seems somewhat more clear:

CVE-2015-8747 - The multifilesystem backend allows access to arbitrary files on all platforms.

CVE-2015-8748 - Prevent regex injection in rights management

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjM5nAAoJEL54rhJi8gl5CT8P/3BdMvzOj6xjmM/jITW6Xabs
F4KoH+xeoN8dABnJLMYoFxJSokjVlvNu2CbdQo4JIdE76iTLTG48s5BPOlga/6Nh
fbEDGk+lrEsWro86FUDQh0oJYFcJCQdOS+GNSi3KW2I7DQVKvsvO5lTvG8zUNH8k
ELJ67CVjFR2g1DeiTnJaXYIeGoDPf0YckjagpGnxZKR6ZFjKi0YOTSPThWNSqIVG
I0NZxXpcno+MMylsSg7f9KObwkti8eFl6oFHzxOTuyugJjQbkpkdXBfY08ZiVBOq
Ik44z97aIZqaGKpiDdYPZnLhSfeBAT8i0kDZn5SH5Am0Oacb5WF2774Vj1NOQtdT
D4Z2q+KpydU9hMeIeaEz84IjF2JoZapZax32zY+vQI28jzrbWmJ2EFiMIHh29fHk
h97+pz/nRlebbLcUcwvs9we6Bec0ZyA74+XCPH68UferVg5YUD85mbTl+elIB9x7
VAD/9hKGzqEnuQNfaOEur6H+gfik6667qpcelYnpxa+ReidcUwtkq0MmkmZwaGBl
Jw5mji3a77BhbakfMAc18OfJ16Xrd+bV5ffd/mFA0jegQDtd8HiY5+mMPDdKU5Sx
kePOeaQxTM22mnFvYuyHekW/tZR8zWIajSbFpG/wQwM5E05Kr/KuIyozlU5oZWDj
/Xvt2kqc2sHESQq+kDhG
=HPXl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.