oss-sec mailing list archives
Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
From: mancha <mancha1 () zoho com>
Date: Thu, 20 Nov 2014 19:17:22 +0000
On Thu, Nov 20, 2014 at 11:38:20AM -0500, Francisco Alonso wrote:
Hello, It was discovered that the wordexp() function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for command substitution when the applicaiton did not request it. Bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2014-7817 Git commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c References: https://bugzilla.redhat.com/show_bug.cgi?id=1157689 https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html
Francisco, thanks for the post. After a lightning review of one of my systems, I found the following use glibc's wordexp: adobe's flash plugin, ardour2, mailx, enca. I've not looked into which input is under a would-be-attacker's control. --mancha
Attachment:
_bin
Description:
Current thread:
- CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Francisco Alonso (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Vasyl Kaigorodov (Nov 21)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Marcus Meissner (Nov 21)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)