oss-sec mailing list archives
Re: CVE-Request - GNU Awk.
From: Steve Kemp <steve () steve org uk>
Date: Mon, 14 Mar 2016 12:45:06 +0000
Why should these get a CVE? As you state in one of your reports:While I appreciate that passing untrusted code to gawk is not a common thing to do, I do not believe that it should be possible to trigger a segfault though.Why should that be considered a valid / safe use case at all? If something makes awk run untrusted programs, there's code execution problem already:
While I suspect there is virtually no situation whereby a service would allow the upload/processing of arbitrary awk in the wild, I do believe that no (semi)valid program should terminate the intepreter with a segfault. That is the reason why I believe that that it is worthy of an identifier. Though I will avoid making future requests for similar issues if I'm alone in that belief! Steve -- http://www.steve.org.uk/
Current thread:
- CVE-Request - GNU Awk. Steve Kemp (Mar 13)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Kurt Seifried (Mar 14)
- Re: Re: CVE-Request - GNU Awk. Bob Friesenhahn (Mar 14)
- Re: CVE-Request - GNU Awk. Yuriy M. Kaminskiy (Mar 14)
- Re: CVE-Request - GNU Awk. Tomas Hoger (Mar 14)
- <Possible follow-ups>
- Re: CVE-Request - GNU Awk. Steve Kemp (Mar 14)