Re: CVE request: lsyncd command injection

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> There is a command injection flaw in lsyncd, a file change monitoring
> and synchronization daemon:
>
> https://github.com/axkibe/lsyncd/issues/220
>
> https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227

Use CVE-2014-8990. The scope of this CVE ID includes both:

  1. code execution with ` characters or other characters that are
     special to a shell
  2. denial of service scenarios in which a user with write access
     to a local directory uses special characters to make
     synchronization fail (might have security relevance in some
     scenarios)

The MITRE CVE team does not have a Lua expert. The code change adds:

  local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
  local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')

This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbY53AAoJEKllVAevmvmsovEH/RdJAnkv4IR3AiSZ9RUVjmn7
5U52az+5OPJLx3P3Z7MrEytMirvjrr3/tWYu06FDfOFRgwSc0lbt5DHjr2+dBemw
kSsuw7BUc7NBAploOFyX/HEqafSYNs4ykRCKxtYhrnqq9R/pa+E86Ol74lxqqXX+
0gwKt3j49qrs+t7Ll7QWn3BdnGgtLNjMn0Zh2kgczUnevZ4wY4ssohM5JQXC9ImS
IlbXuy0INovx9j1DBplNrGQ07p3ETjH0gcYcucb/MvS6r1RaJXXrrg3bd5CUVEpj
kwyDtPrs/LuSj+Gi+wq4xRBpzmXxLoJ2yc4Czg+ch5qFToXx0cu9Zo/LOJB9m9g=
=q6u/
-----END PGP SIGNATURE-----