oss-sec mailing list archives

Re: CVE-Request - GNU Awk.

From: Steve Kemp <steve () steve org uk>
Date: Mon, 14 Mar 2016 12:45:06 +0000

Why should these get a CVE?  As you state in one of your reports:

While I appreciate that passing untrusted code to gawk is not a
common thing to do, I do not believe that it should be possible to
trigger a segfault though.


Why should that be considered a valid / safe use case at all?  If
something makes awk run untrusted programs, there's code execution
problem already:


  While I suspect there is virtually no situation whereby a service
 would allow the upload/processing of arbitrary awk in the wild, I
 do believe that no (semi)valid program should terminate the intepreter
 with a segfault.

  That is the reason why I believe that that it is worthy of an
 identifier.  Though I will avoid making future requests for similar
 issues if I'm alone in that belief!

Steve
-- 
http://www.steve.org.uk/

Current thread:

CVE-Request - GNU Awk. Steve Kemp (Mar 13)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
  - Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
    - Re: Re: CVE-Request - GNU Awk. Kurt Seifried (Mar 14)
    - Re: Re: CVE-Request - GNU Awk. Bob Friesenhahn (Mar 14)
- <Possible follow-ups>
- Re: CVE-Request - GNU Awk. Steve Kemp (Mar 14)