Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Sat, 15 Nov 2008 14:34:07 +0100
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: htop

Hi,
* Steven M. Christey <coley@...us.mitre.org> [2008-11-14 19:40]:
> Sorry Jan and Nico, I didn't follow up with you on this.  There were some
> questions about whether this deserved a CVE, since THOUSANDS of programs
> dump output without considering whether they're writing to a terminal...
> or what they're writing to a terminal.

Yes true.

> For example, should the "cat" program become more terminal-aware and avoid
> sending dangerous sequences?  Which of dozens of different terminal types
> should it avoid sending these sequences to?  Should it get a new CVE every
> time it forgets about some other terminal?
> 
> Not to mention "more" and "ls" and "grep" and many others.
> 
> We were forced to flag Apache a number of years ago because it didn't
> filter certain dangerous characters from its logs.  I always felt a bit
> funny about that one.

This is really a cornercase for me too, we decided to treat 
this as a vulnerability but with "unimportant" impact.
Thanks for the id anyway.

Cheers
Nico
ps. Jan, I am not aware of any poc here
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux