oss-sec mailing list archives

Re: CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands

From: cve-assign () mitre org
Date: Mon, 22 Aug 2016 16:55:56 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

1/ Shell outbreak due to bad syntax parse
   - https://github.com/ghantoos/lshell/issues/147
   - https://bugs.debian.org/834949


Use CVE-2016-6902.

2/ Shell outbreak with multiline commands
   - https://github.com/ghantoos/lshell/issues/149
   - Fix: https://github.com/ghantoos/lshell/commit/e72dfcd1f258193f9aaea3591ecbdaed207661a0
   - https://bugs.debian.org/834946


Use CVE-2016-6903.


https://bugs.debian.org/834949 and https://bugs.debian.org/834946 also
mention "Command parser in this shell is beyound of recovery." This
suggests that other vulnerabilities may be fixed at the same time as
issues/147, or that other vulnerabilities may be discovered. In
particular,
https://github.com/ghantoos/lshell/issues/147#issuecomment-241366750
mentions a different attack methodology. At least for now,
https://github.com/ghantoos/lshell/issues/147#issuecomment-241366750
is within the scope of CVE-2016-6902. It is difficult to predict what
other CVE IDs may be needed until there is further vendor followup
about issues/147.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXu2Z5AAoJEHb/MwWLVhi2yV8P/jYtI8rE7dbkIHDCytF6ligt
O586ap6xBzpt0x874jrEZvteWGm1qDmA0JhQsuRa6CAGWRwOy1DweZpppDZ0u3ic
85dT8yQw+9Hz3eJe0G/M3WjSk6m2eeyUGf5N6817UAim/SM+RnNVfPrP+ytBCb5Z
tpdXPW+BKJa1/FsSAcQ6+mzkpytPXb8DFdf9Tb82g8rAPZTMNw/beJXaBo4o+Btr
ZYOv3QGkpubbak6TWVCI9mmbslekFKrcI7qKYwYAwkON4CUHkXg8/RhbMbLVDzlC
sSlvPBiGibzm3uNtuMqkbVAKazrpad/NNwt/ioAVYltDOZjIs7jNPe7Va9YLKcBz
33IVH9QQMQr5CRh5kYgV3coSMRvQfduIIE4I7HxlumlwGJKsvARQ4JiEYhoqrgKv
/M1pzohNpg7TBW5RjHuYMZougbHa70tezV2+mtjdb28lB3DrsAafNPa+9R9cE+UB
5fE4Qm7LYRqA4hNtut0OrdEF5zmJL1u8xuVOoj5pUdRDs4A9FL/hT8TEFXsQaknA
nXNtI+bqYQxOqE1ZXg40WbN6Z/aeZYSIUXhZ1DdirCGqtEsnD6IJ07kch/QuZsUc
Qd1IoN4d6fCfKcObz2AZ4fg+As7ndsmuMapi+VMPff3JZrqakQVroptK1K2gTHY2
92ovu5VQOdGYAvoWVFQR
=ICSm
-----END PGP SIGNATURE-----

Current thread:

CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands Salvatore Bonaccorso (Aug 22)
- Re: CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands cve-assign (Aug 22)