Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Feb 2014 09:56:03 -0500 (EST)
Subject: Re: CVE request for catfish program

Hash: SHA1


> This script intentionally looks to load in the current
> working directory.

"intentionally" tends to be a complicating factor for a CVE
assignment; one could possibly instead express this as: the author
didn't consider that catfish would sometimes be executed with cwd
outside of the user's home directory. The nature of the program
suggests that it could be started interactively by any user at any
time, and there's no documentation indicating that the cwd could or
should be constrained.

We couldn't immediately figure out where your quoted source code came
has a that looks for $APPNAME.pyc before $ The
quoted code has duplicate checks for $ This affects the
number of CVEs. Apparently, "a crafted file in the current
working directory" is an attack vector with a certain set of affected
versions, and "a crafted catfish.pyc file in the current working
directory" is an attack vector with a different set of affected
versions. Also, the Debian bug report specifically names a much later
package (1.0.0-2) that might be considered an independent codebase,
and at least has different attack vectors. The ChangeLog says "v0.6.0
Complete rewrite from the ground-up." The problematic 1.0.0 code is
distributed in bin/ and has attack vectors of "a crafted
bin/catfish.pyc or bin/ file under the current working

The primary Red Hat bug report refers to which is for
"Product: Fedora ... Component: catfish ... Version: 20" but
is essentially the same as 1.0.0: the code is found in
bin/ in the distribution, and bin/catfish.pyc and
bin/ are the attack vectors. So, apparently your quoted code
isn't the Fedora 20 code.

Finally, we didn't find any evidence of a case where only
bin/ is checked within the post-complete-rewrite codebase. in the current working directory - Use CVE-2014-2093.

catfish.pyc in the current working directory - Use CVE-2014-2094.

bin/catfish.pyc and bin/ file under the current working
directory - Use CVE-2014-2095.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.