Re: CVE id requests: gmanedit

[Nico Golde <oss-security+ml () ngolde de>]

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-09-09 18:12]:
> On Sat, 6 Sep 2008, Steffen Joeris wrote:
>
> > There are two possible buffer overflows in gmanedit. One is via crafted
> > configuration file and the other one via crafted manual page.
> > See the Debian bug report for more information.
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835
>
> Use CVE-2008-3971, which covers the manual page and (if it's
> security-relevant) the configuration page.  Even though the source of
> attack is different, the vuln type is the same.
>
> Nico - I don't know the typical usage scenarios for gmanedit, but if the
> design of the configuration file allows the user to define dangerous
> actions (such as their own executable commands), then it's clearly not
> intended for external influence and wouldn't count as a vuln in my book.
> Still would be merged under CVE-2008-3971 if there's a scenario.

I share your opinion here, I'd rather see the COMMANDS thing 
as an application bug as a user who doesn't read the 
configuration but just uses it could also get owned with a 
valid command. The only difference I see is that as far as I 
understood the command is only executed after user action 
while the configuration value is read without. The manpage 
utf-8 conversion is the real vulnerability as it is possible 
to exploit a victim by opening a crafted manpage in 
gmanedit.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: