oss-sec mailing list archives
Re: CVE request: Canto Feed URL Parsing Command Line Injection
From: cve-assign () mitre org
Date: Wed, 26 Nov 2014 23:10:32 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Can I get 2013 CVE for Canto feed URL parsing command line injection vulnerability Affected versions: All versions prior to v0.9.0 https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca https://bugs.debian.org/731582
If a user starts canto and chooses to go to one URL from one feed, canto constructs a sh command line to visit the URL, but it doesn't remove metachars.
Use CVE-2013-7416. One might also argue that the underlying problem is that doc/configuration in the Canto distribution tells users to enter link_handler lines with " quoting, e.g., link_handler("elinks \"%u\"", text=True) within the user's ~/.canto/conf.py file. This perhaps could have been addressed either by making the %u value safe before conf.py is executed, or by telling the user to add other Python code to conf.py for correct quoting. In other words, 731582 is a valid vulnerability report because the reporter is using a quoting approach that exactly matches the vendor's recommendation. This is not a site-specific report about an error in one user's ~/.canto/conf.py file. 2817869f98c54975f31e2dd674c1aefa70749cca adds an shlex.quote call -- shlex.quote is found in https://hg.python.org/cpython/file/tip/Lib/shlex.py and has: return "'" + s.replace("'", "'\"'\"'") + "'" - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUdqKMAAoJEKllVAevmvms5vgH/jHWLqrfRdv2IO5lgR+MN7sg 95/nlpMv1zQrWFhSExCAIJLVJy4bIAF8SpxjQnTdcJQQlB2ffdni4LK0sD4q2amW H3xBz5Gf41uNuieZI+PclDSkNr7u1ZsL+4MM5Ye2I5t04Wdm4u2XjQL3Ct5WAvUM h7yMuQXmdKti9NDIDDf1PXQvmDGlNDoidvZC8v/M1oPsHOuWNfYM6euFC4repFc6 d3IBPb8tPAi8ZxZoSMMEbxDcX5OAzmCxjeaFt3JJy8lB1s4lYoS2YLlSkUI5f2kq jgCkxYNnSKO4HCXpl4aioG11PG1vLVsbwzZ141y+8vQygIIGz+4KBmSt/E+GzrM= =mC0o -----END PGP SIGNATURE-----
Current thread:
- CVE request: Canto Feed URL Parsing Command Line Injection Henri Salo (Nov 26)
- Re: CVE request: Canto Feed URL Parsing Command Line Injection cve-assign (Nov 26)