oss-security - Re: CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-Id: <20150519193027.730486C00C9@smtpvmsrv1.mitre.org>
Date: Tue, 19 May 2015 15:30:27 -0400 (EDT)
From: cve-assign@...re.org
To: dopheide@....nl
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> xzgrep 4.999.9beta processes filenames containing a semicolon
> incorrectly

> $ touch /tmp/semi\;colon
> $ xzgrep anystring /tmp/semi\;colon 
> xz: /tmp/semi: No such file or directory
> /usr/bin/xzgrep: line 199: colon: command not found

Use CVE-2015-4035.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVW469AAoJEKllVAevmvmsbzkH/A3dSVE5dorfEZvteDOFSmQx
n+gNl9t4Mzduhb2ORkNgxjGDue5ktE/G1om0h8gFae/wLVd0NvkFPhwrHdVUFmOd
F/Tu1wFoeuQjuoOxQQw1ixOFvsbzTXVmeRKatyqbECFivFpoVAK/34rZItYmf6KG
zfRMbN9jpV3eoRNuN7OQFHFe3jcb6InXB2hM/7VA/Wg0WyWx1CKlTWpJ62bsbYiO
ejVxiKUgEQh/oDd4GjYXru+RtxkgpQ638gkEcgTcRxZuDMzSPtFdzcVF3z5zN82E
lmog3UOQlIIKIcApynWWlGZ4OF4g7SIzxhVRcrTGpKMnNQbg6LLVBq7KYvq56ng=
=INqy
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.