oss-sec mailing list archives
Re: CVE-Request - GNU Awk.
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 14 Mar 2016 13:26:52 +0100
On Mon, 14 Mar 2016 06:32:28 +0000 Steve Kemp wrote:
I reported two DoS bugs against GNU Awk to the debian bug tracker recently, both of which are denial of service attacks causing NULL-pointer deferences. It would be useful to have a CVE identifiers assigned.
Why should these get a CVE? As you state in one of your reports:
While I appreciate that passing untrusted code to gawk is not a
common thing to do, I do not believe that it should be possible to
trigger a segfault though.
Why should that be considered a valid / safe use case at all? If
something makes awk run untrusted programs, there's code execution
problem already:
echo | awk '{ system("id") }'
--
Tomas Hoger / Red Hat Product Security
Current thread:
- CVE-Request - GNU Awk. Steve Kemp (Mar 13)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Kurt Seifried (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Bob Friesenhahn (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- <Possible follow-ups>
- Re: CVE-Request - GNU Awk. Steve Kemp (Mar 14)