oss-sec mailing list archives
CVE request: Canto Feed URL Parsing Command Line Injection
From: Henri Salo <henri () nerv fi>
Date: Thu, 27 Nov 2014 00:25:09 +0200
Can I get 2013 CVE for Canto feed URL parsing command line injection vulnerability, thanks. Project website: http://codezen.org/canto-ng/ Affected versions: All versions prior to v0.9.0 Debian version affected: 0.7.10-4 Canto was later removed from Debian. Versions 0.7.10-4 (wheezy) and 0.7.9-1 (squeeze) are not affected with this payload. Upstream fix: https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca PoCs attached from the original advisory email. OSVDB: http://osvdb.org/101335 Reported in Debian BTS https://bugs.debian.org/731582 by <the_walrus_88 () manlymail net>. Quoting the mail: """ I have just found a command line injection security vuln in canto. The program fetches feeds from configured sites, and the feeds contain URLs that people may want to visit. If a user starts canto and chooses to go to one URL from one feed, canto constructs a sh command line to visit the URL, but it doesn't remove metachars. Therefore a malicious feed (owner turned bad, man in the middle attack if fetched with http) can put in bad data in all link and guid elements of the feed and use this to hack the user when they visit some of the URLs. Not good. See my conf.py and evil.rss files for an example. Sorry for my English! """ In case someone finds more issues you can contact developer via: http://codezen.org/canto-ng/contact-bugs/ --- Henri Salo
Attachment:
evil.rss
Description:
Attachment:
conf.py
Description:
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: Canto Feed URL Parsing Command Line Injection Henri Salo (Nov 26)
- Re: CVE request: Canto Feed URL Parsing Command Line Injection cve-assign (Nov 26)