oss-sec mailing list archives
AW: Re: CVE request: screen stack overflow (deep recursion)
From: Fiedler Roman <Roman.Fiedler () ait ac at>
Date: Thu, 3 Sep 2015 05:25:11 +0000
Von: cve-assign () mitre org [mailto:cve-assign () mitre org] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Use CVE-2015-6806. We feel that the CVE inclusion case for this issue might be marginal. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797624#5 says Hence this can be used to cause a denial of service attack by tricking a user into e.g. displaying a file with "cat" inside screen
What about "tail -f /var/log/syslog", Apache or other kind of logs for debugging? [Yes, that's often how logs are running over the screen in videos when talking about IT-security]. It's convenient and I'm using screen exactly to avoid any injection of commands via TIOCSTI into my current TTY when a context switch is needed before starting tail, e.g. when working with LXC containers. Still not sure, if this is an argument for CVE inclusion, at least it is one for more auditing/hardening on tools like screen, which is now happening. Thanks for that!
[..snip..]
Attachment:
smime.p7s
Description:
Current thread:
- CVE request: screen stack overflow (deep recursion) Florian Weimer (Aug 31)
- Re: CVE request: screen stack overflow (deep recursion) cve-assign (Sep 02)
- AW: Re: CVE request: screen stack overflow (deep recursion) Fiedler Roman (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) Solar Designer (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) Solar Designer (Sep 03)
- Re: CVE request: screen stack overflow (deep recursion) Kuang-che Wu (Sep 03)
- AW: Re: CVE request: screen stack overflow (deep recursion) Fiedler Roman (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) cve-assign (Sep 02)