oss-sec mailing list archives
Re: CVE request - Snoopy incomplete fix for CVE-2008-4796
From: Garth Mollett <gmollett () redhat com>
Date: Wed, 16 Jul 2014 17:02:04 +1000
Sorry, I should have been more clear in my request. This is the original fix for CVE-2008-4796: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.26&r2=1.27 Note using escapeshellcmd instead of escapeshellarg and still allows injection of params to to curl. This was then updated to this: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?r1=1.27&r2=1.28 Looking at the changes starting around line 927 (in 1.28) escapeshellcmd($URI) is replaced with escapeshellarg($URI) however the code handling $cmdline_params is changed to this: $safer_header = strtr($headers[$curr_header], "\"", " "); $cmdline_params .= " -H \"" . $safer_header . "\""; [..] $cmdline_params .= " -d \"$body\""; exec($this->curl_path . " -k -D \"$headerfile\"" . $cmdline_params . " " . escapeshellarg($URI), $results, $return); Which by my reading still allows command injection. Then, starting from revision 1.29 through 1.33 this code is all removed and replaced with native php instead of calling curl. I am not at all involved with this project nor do I have any kind of extra insight on this. Sorry if my original email was misleading or confusing. Please let me know if there is anything else I can do in order clarify if a CVE assignment is needed for this or not. On 07/16/2014 03:57 PM, cve-assign () mitre org wrote:
The information that has been sent so far doesn't determine whether there should be one CVE ID or two CVE IDs. A statement of "does still allow command injection" would potentially mean two CVE IDs, whereas "may still allow command injection" could end up as "does not still allow command injection." The original CVE request was on July 9, and implied that watching http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log was of interest because a second security fix might be announced there "shortly." However, that view=log page was last updated on July 8. We will continue to check that view=log page from time to time.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 09)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Garth Mollett (Jul 16)
- Re: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Tomas Hoger (Jul 16)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 18)
- <Possible follow-ups>
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 Kurt Seifried (Jul 15)
- Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 cve-assign (Jul 15)