oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Canto Feed URL Parsing Command Line Injection

From: cve-assign () mitre org
Date: Wed, 26 Nov 2014 23:10:32 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Can I get 2013 CVE for Canto feed URL parsing command line injection
vulnerability

Affected versions: All versions prior to v0.9.0

https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca
https://bugs.debian.org/731582



If a user starts canto and chooses to go to one URL from one feed,
canto constructs a sh command line to visit the URL, but it doesn't
remove metachars.


Use CVE-2013-7416.

One might also argue that the underlying problem is that
doc/configuration in the Canto distribution tells users to enter
link_handler lines with " quoting, e.g.,

  link_handler("elinks \"%u\"", text=True)

within the user's ~/.canto/conf.py file. This perhaps could have been
addressed either by making the %u value safe before conf.py is
executed, or by telling the user to add other Python code to conf.py
for correct quoting.

In other words, 731582 is a valid vulnerability report because the
reporter is using a quoting approach that exactly matches the vendor's
recommendation. This is not a site-specific report about an error in
one user's ~/.canto/conf.py file.

2817869f98c54975f31e2dd674c1aefa70749cca adds an shlex.quote call --
shlex.quote is found in
https://hg.python.org/cpython/file/tip/Lib/shlex.py and has:

   return "'" + s.replace("'", "'\"'\"'") + "'"

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdqKMAAoJEKllVAevmvms5vgH/jHWLqrfRdv2IO5lgR+MN7sg
95/nlpMv1zQrWFhSExCAIJLVJy4bIAF8SpxjQnTdcJQQlB2ffdni4LK0sD4q2amW
H3xBz5Gf41uNuieZI+PclDSkNr7u1ZsL+4MM5Ye2I5t04Wdm4u2XjQL3Ct5WAvUM
h7yMuQXmdKti9NDIDDf1PXQvmDGlNDoidvZC8v/M1oPsHOuWNfYM6euFC4repFc6
d3IBPb8tPAi8ZxZoSMMEbxDcX5OAzmCxjeaFt3JJy8lB1s4lYoS2YLlSkUI5f2kq
jgCkxYNnSKO4HCXpl4aioG11PG1vLVsbwzZ141y+8vQygIIGz+4KBmSt/E+GzrM=
=mC0o
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: