oss-sec mailing list archives
Re: GNU ed heap overflow
From: Tavis Ormandy <taviso () sdf lonestar org>
Date: Mon, 1 Sep 2008 07:05:54 +0000
If you can specify an arbitrary filename, can't you execute commands anyway? $ ed '!ls>&2' bin dev home lost+found misc net proc sbin srv tmp var boot etc lib media mnt opt root selinux sys usr 0 Thanks, Tavis. On Sun, Aug 31, 2008 at 01:13:01PM +0200, Florian Weimer wrote:
Can we get a CVE for this? The overflow is in the command line processing, and also affects the red command. | Alfredo Ortega from Core Security Technologies has found that GNU Ed | is vulnerable to a heap overflow. <http://lists.gnu.org/archive/html/bug-ed/2008-06/msg00000.html>
-- ------------------------------------- taviso () sdf lonestar org | finger me for my gpg key. -------------------------------------------------------
Current thread:
- GNU ed heap overflow Florian Weimer (Aug 31)
- Re: GNU ed heap overflow Tavis Ormandy (Sep 01)
- Re: GNU ed heap overflow Florian Weimer (Sep 01)
- Re: GNU ed heap overflow Steven M. Christey (Sep 04)
- Re: GNU ed heap overflow Florian Weimer (Sep 04)
- Re: GNU ed heap overflow Florian Weimer (Sep 01)
- Re: GNU ed heap overflow Tavis Ormandy (Sep 01)
- Re: GNU ed heap overflow Steven M. Christey (Sep 04)