oss-sec mailing list archives
Re: CVE id requests: gmanedit
From: Nico Golde <oss-security+ml () ngolde de>
Date: Tue, 9 Sep 2008 19:01:29 +0200
Hi Steven, * Steven M. Christey <coley () linus mitre org> [2008-09-09 18:12]:
On Sat, 6 Sep 2008, Steffen Joeris wrote:There are two possible buffer overflows in gmanedit. One is via crafted configuration file and the other one via crafted manual page. See the Debian bug report for more information. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497835Use CVE-2008-3971, which covers the manual page and (if it's security-relevant) the configuration page. Even though the source of attack is different, the vuln type is the same. Nico - I don't know the typical usage scenarios for gmanedit, but if the design of the configuration file allows the user to define dangerous actions (such as their own executable commands), then it's clearly not intended for external influence and wouldn't count as a vuln in my book. Still would be merged under CVE-2008-3971 if there's a scenario.
I share your opinion here, I'd rather see the COMMANDS thing as an application bug as a user who doesn't read the configuration but just uses it could also get owned with a valid command. The only difference I see is that as far as I understood the command is only executed after user action while the configuration value is read without. The manpage utf-8 conversion is the real vulnerability as it is possible to exploit a victim by opening a crafted manpage in gmanedit. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id requests: gmanedit Steffen Joeris (Sep 05)
- Re: CVE id requests: gmanedit Steven M. Christey (Sep 09)
- Re: CVE id requests: gmanedit Nico Golde (Sep 09)
- Re: CVE id requests: gmanedit Steven M. Christey (Sep 09)