oss-sec mailing list archives

Re: GNU ed heap overflow

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 4 Sep 2008 13:07:08 -0400 (EDT)


Use CVE-2008-3916... with caveat.

While everything's inter-connected these days and maye ed can be invoked
from some URI handler, or behind some application that passes user input
to ed, I'm generally uncomfortable assigning a CVE for this type of "local
issue" unless there's a reasonable usage scenario under which the
application is reachable (WordNet has reasonable usage scenarios as a back
end, for example).


======================================================
Name: CVE-2008-3916
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916
Reference: MLIST:[bug-ed] 20080821 Version 1.0 of GNU ed released
Reference: URL:http://lists.gnu.org/archive/html/bug-ed/2008-08/msg00000.html
Reference: SECTRACK:1020734
Reference: URL:http://www.securitytracker.com/id?1020734
Reference: XF:gnued-stripescapes-bo(44643)
Reference: URL:http://xforce.iss.net/xforce/xfdb/44643

Heap-based buffer overflow in the strip_escapes function in signal.c
in GNU ed before 1.0 allows context-dependent or user-assisted
attackers to execute arbitrary code via a long filename.  NOTE: since
ed itself does not typically run with special privileges, this issue
only crosses privilege boundaries when ed is invoked as a third-party
component.

Current thread:

GNU ed heap overflow Florian Weimer (Aug 31)
- Re: GNU ed heap overflow Tavis Ormandy (Sep 01)
  - Re: GNU ed heap overflow Florian Weimer (Sep 01)
    - Re: GNU ed heap overflow Steven M. Christey (Sep 04)
    - Re: GNU ed heap overflow Florian Weimer (Sep 04)
- Re: GNU ed heap overflow Steven M. Christey (Sep 04)