Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160106082513.E5702332074@smtpvbsrv1.mitre.org>
Date: Wed,  6 Jan 2016 03:25:13 -0500 (EST)
From: cve-assign@...re.org
To: corsac@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for radicale

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/Kozea/Radicale/pull/343
> http://radicale.org/news/#2015-12-31@11:54:03
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809920

>> This fixes a number of issues with dodgy path handling

>> Many improvements in this release are related to security

We do not see a straightforward way to determine the total number of
independent vulnerabilities. For example:

  Paths like .., ../.. or // are not sanitized correctly

  The program crashes if a path doesn't start with base_prefix instead of showing an error message

  On MS Windows the filesystem backend allows access to the first level of files on a drive.

  Improve the regex used for well-known URIs

  Decouple the daemon from its parent environment

  Avoid race condition in PID file creation

are missing information about the attacker and/or the impact.



These might potentially be overlapping observations:

  Paths like .., ../.. or // are not sanitized correctly

  Improve the regex used for well-known URIs

  Prevent crafted HTTP request from calling arbitrary functions

  Improve URI sanitation and conversion to filesystem path

  

For now, we will start with two CVE IDs for the change information that
seems somewhat more clear:

CVE-2015-8747 - The multifilesystem backend allows access to arbitrary files on all platforms.

CVE-2015-8748 - Prevent regex injection in rights management

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjM5nAAoJEL54rhJi8gl5CT8P/3BdMvzOj6xjmM/jITW6Xabs
F4KoH+xeoN8dABnJLMYoFxJSokjVlvNu2CbdQo4JIdE76iTLTG48s5BPOlga/6Nh
fbEDGk+lrEsWro86FUDQh0oJYFcJCQdOS+GNSi3KW2I7DQVKvsvO5lTvG8zUNH8k
ELJ67CVjFR2g1DeiTnJaXYIeGoDPf0YckjagpGnxZKR6ZFjKi0YOTSPThWNSqIVG
I0NZxXpcno+MMylsSg7f9KObwkti8eFl6oFHzxOTuyugJjQbkpkdXBfY08ZiVBOq
Ik44z97aIZqaGKpiDdYPZnLhSfeBAT8i0kDZn5SH5Am0Oacb5WF2774Vj1NOQtdT
D4Z2q+KpydU9hMeIeaEz84IjF2JoZapZax32zY+vQI28jzrbWmJ2EFiMIHh29fHk
h97+pz/nRlebbLcUcwvs9we6Bec0ZyA74+XCPH68UferVg5YUD85mbTl+elIB9x7
VAD/9hKGzqEnuQNfaOEur6H+gfik6667qpcelYnpxa+ReidcUwtkq0MmkmZwaGBl
Jw5mji3a77BhbakfMAc18OfJ16Xrd+bV5ffd/mFA0jegQDtd8HiY5+mMPDdKU5Sx
kePOeaQxTM22mnFvYuyHekW/tZR8zWIajSbFpG/wQwM5E05Kr/KuIyozlU5oZWDj
/Xvt2kqc2sHESQq+kDhG
=HPXl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.