oss-sec mailing list archives
RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
From: "Mehaffey, John" <John_Mehaffey () mentor com>
Date: Thu, 20 Nov 2014 21:35:02 +0000
From: mancha [mancha1 () zoho com] Sent: Thursday, November 20, 2014 11:17 AM To: oss-security () lists openwall com Cc: falonsoe () redhat com Subject: Re: [oss-security] CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified On Thu, Nov 20, 2014 at 11:38:20AM -0500, Francisco Alonso wrote:Hello, It was discovered that the wordexp() function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for command substitution when the applicaiton did not request it. Bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2014-7817 Git commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c References: https://bugzilla.redhat.com/show_bug.cgi?id=1157689 https://sourceware.org/ml/libc-alpha/2014-11/msg00519.htmlFrancisco, thanks for the post. After a lightning review of one of my systems, I found the following use glibc's wordexp: adobe's flash plugin, ardour2, mailx, enca. I've not looked into which input is under a would-be-attacker's control. --mancha
alsa-lib is also affected. -mehaf
Current thread:
- CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Francisco Alonso (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Vasyl Kaigorodov (Nov 21)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Marcus Meissner (Nov 21)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)