oss-sec mailing list archives
Re: CVE request for path traversal / info leak bug in Spiffy web server
From: Peter Bex <peter () more-magic net>
Date: Wed, 18 Nov 2015 18:35:50 +0100
On Wed, Nov 18, 2015 at 12:15:41PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.htmlif you are using awful, chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy as HTTP server, your server is vulnerable as well.Spiffy 5.4 eliminates the vulnerability without requiring the fix for the CHICKEN core.Use CVE-2015-8235 for the Spiffy vulnerability.
Thank you.
The issue with the CHICKEN core procedures has been addressed by edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it is not in any stable release yet. http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=edd4926bb4f4c97760a0e03b0d0e8210398fe967If this is a CHICKEN core vulnerability, it needs a separate CVE ID. The description above -- especially the 'supposed to be "atomic"' comment -- suggests that the code is unambiguously wrong, but the commit message presents the issue differently. Also, it appears that introducing '/' characters into strings is a general problem for any program that prohibits only '/' characters in user-supplied filenames (e.g., because the program, for whatever reason, can only be used on UNIX platforms). Is there a rationale for not considering this a CHICKEN vulnerability?
I'm not 100% sure, but I think it was not considered to be a vulnerability as such because, while it's indeed unambiguously wrong, it doesn't directly present a vulnerability. It's only, like you say, when an application prohibits only '/' characters, when this results in a vulnerability. I trust your judgement on this, so if this is worth a CVE ID, please assign one. Regards, Peter Bex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request for path traversal / info leak bug in Spiffy web server Peter Bex (Nov 17)
- Re: CVE request for path traversal / info leak bug in Spiffy web server cve-assign (Nov 18)
- Re: CVE request for path traversal / info leak bug in Spiffy web server Peter Bex (Nov 18)
- Re: CVE request for path traversal / info leak bug in Spiffy web server cve-assign (Nov 18)