Re: CVE request for path traversal / info leak bug in Spiffy web server

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html

> if you are using awful,
> chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy
> as HTTP server, your server is vulnerable as well.

> Spiffy 5.4 eliminates the
> vulnerability without requiring the fix for the CHICKEN core.

Use CVE-2015-8235 for the Spiffy vulnerability.


> The unfortunate cause of this is that some CHICKEN core
> procedures are misbehaving: when passed a file that starts with a
> backslash, some path manipulation procedures incorrectly
> *replace* the backslash with a slash. This has the effect of
> injecting a path separator into a path component that was
> supposed to be "atomic". This results in the path component
> being reinterpretated as two components.
>
> The issue with the CHICKEN core procedures has been addressed by
> edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it
> is not in any stable release yet.
>
> http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=edd4926bb4f4c97760a0e03b0d0e8210398fe967

If this is a CHICKEN core vulnerability, it needs a separate CVE ID.
The description above -- especially the 'supposed to be "atomic"'
comment -- suggests that the code is unambiguously wrong, but the
commit message presents the issue differently. Also, it appears that
introducing '/' characters into strings is a general problem for any
program that prohibits only '/' characters in user-supplied filenames
(e.g., because the program, for whatever reason, can only be used on
UNIX platforms). Is there a rationale for not considering this a
CHICKEN vulnerability?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWTLHmAAoJEL54rhJi8gl5sVQP/RNAF0urGXCKfGnigPmyHtDK
7hDILbfND4iaMAS+o3avt+Nhfml1MuLMKwRWp31uHaAGnglbIQWp6eMC2JOlSSci
Q3g7QsV4s/x7FMvBXrvv0jLDkxJpL8mtCZ8pah9qXPr5CLr6KZzA499NvoUVlyqb
5c5kL8ERmrm0mmHgRAyt8hcb4Zv6wuzOCGBwmzhVLDe+rx7Nr68WBL1oJdcBzfJE
tYuV4RwF/iqyxfRKa5xxEkirawdiGRMo3D0MRVIyuaJoj70Cmy2pWJjChi0mgGfV
hNLREKlg60e7NXWYdtzAJE9w4KkM/emHdFLth9JNGr9AryLu32VTdqJQ9E9JKiK5
+veMNE4U2TzsKNqUTx1Li2UnogLhSNlO/ZetujG76QC97qBYfrFpiMIntf/kyox1
5IrhOAjZohUoH07Rm0bF6HXiVvteOvJg9NJAymFc7GdAZJvYuNfIsV3rFJNl2gHI
ybAVNlNApmuiOXh+umvCzAqUi3flaNev6Xuti98rbqi3aaxutCSwdS7xnWmvSaSy
HDNFVELLcyqSrTAI1P8StFHlV4FR4zJzq30T5N/aGfl+obMmLDpVpNbNVChSzdfU
x2te+gBcM7lZjKM8QOjqogcVSvUUPHQ9cvAtfmjCgH1IGigBmaejtBW1gzELykIp
nqmUX0Ef4QyYg8ylidBx
=u0rD
-----END PGP SIGNATURE-----