Re: CVE request for path traversal / info leak bug in Spiffy web server

[Peter Bex <peter () more-magic net>]

On Wed, Nov 18, 2015 at 12:15:41PM -0500, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html
>
> > if you are using awful,
> > chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy
> > as HTTP server, your server is vulnerable as well.
>
> > Spiffy 5.4 eliminates the
> > vulnerability without requiring the fix for the CHICKEN core.
>
> Use CVE-2015-8235 for the Spiffy vulnerability.

Thank you.

> > The issue with the CHICKEN core procedures has been addressed by
> > edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it
> > is not in any stable release yet.
> >
> > http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=edd4926bb4f4c97760a0e03b0d0e8210398fe967
>
> If this is a CHICKEN core vulnerability, it needs a separate CVE ID.
> The description above -- especially the 'supposed to be "atomic"'
> comment -- suggests that the code is unambiguously wrong, but the
> commit message presents the issue differently. Also, it appears that
> introducing '/' characters into strings is a general problem for any
> program that prohibits only '/' characters in user-supplied filenames
> (e.g., because the program, for whatever reason, can only be used on
> UNIX platforms). Is there a rationale for not considering this a
> CHICKEN vulnerability?

I'm not 100% sure, but I think it was not considered to be a
vulnerability as such because, while it's indeed unambiguously wrong,
it doesn't directly present a vulnerability.  It's only, like you say,
when an application prohibits only '/' characters, when this results in
a vulnerability.

I trust your judgement on this, so if this is worth a CVE ID, please
assign one.

Regards,
Peter Bex

Attachment: signature.asc
Description: Digital signature