oss-security - Re: CVE id request mercurial:Insufficient input validation

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20080701085816.GA3630@ngolde.de>
Date: Tue, 1 Jul 2008 10:58:16 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request mercurial:Insufficient input validation

Hi Steve,
* Steven M. Christey <coley@...us.mitre.org> [2008-06-30 21:41]:
> Out of curiosity, what attack scenarios exist for this issue?  If an
> attacker has control over the patch already, then code execution on the
> system already seems likely.  Or is the impact mostly limited to "compile
> farms" and limited-access user accounts?

Yes I agree, the attack scenarios are really limited to 
systems/people blindly importing patches for example if 
received via mail.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Content of type "application/pgp-signature" skipped

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.