Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201403181408.s2IE8n5e025035@linus.mitre.org>
Date: Tue, 18 Mar 2014 10:08:49 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com,
        741659@...s.debian.org
Subject: Re: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The Debian report is about single quotes. On Fedora
> (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were
> needed.

The recent upstream patch:

  https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

addressed the ' issue using the '\\'' approach.

http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm
has:

    expanded.replace( QRegExp( "%p" ),
                      "\"" + QString::fromLocal8Bit( item->url() )  + "\"" );
    expanded.replace( QRegExp( "%n" ),
                      "\"" + QString::fromLocal8Bit( item->name() ) + "\"" );

As mentioned in the
http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted
use of " for this type of quoting is a conceptually different problem
than attempted use of ' for this type of quoting, even if both
attempts are ultimately incorrect.

(We did not try to check whether the upstream version made a change
from incorrect use of " to incorrect use of ' at some point. This
could be considered an incomplete fix.)

Use CVE-2014-2527 for the vulnerability involving use of " (as shown
in the above calls to expanded.replace). This CVE assignment applies
to any upstream code or any Fedora-specific code that has this
specific issue.

Use CVE-2014-2528 for the vulnerability involving use of ' (as shown
in the above https://bitbucket.org commit).

If anyone happens to identify a version of the code that does not
attempt any type of quoting, a third CVE assignment may be possible.

> (And maybe it should be escaping ';' too if not already?)

This would typically not be addressed as a separate fix.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTKFLiAAoJEKllVAevmvmsiPkH/30d7kfSQPL2v7AZ0NppcPKx
6TRaR8bren7sEI0t38XJ5CmVwyW9KwqSBf+psnM6ubA9VDafl+izOefRw7GoJNIX
w8sz67mBWDkBxyYazfLZJhgItGzjUwj8q222lhQ8maLKLS/iGpqnY5rPBnwVTIq6
5T9I0NWH5LrXRHFatS4JLargtU/jiMAIW+/dim7ymj0MFWk9XSnLI4XboIWROdZq
gGQU/NXyRhz1ZGenzpHwNHc9ddVC86TKR/xF1DTg8N1RmuAe6HNXEJSWuYooG9BK
2k99nuBpDsL6TD2L4dSN20prKkIGgCTumRJWO/IvCG3jdZYBrscrjWpFMAIqEGk=
=lGmu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.