oss-sec mailing list archives
Re: CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands
From: cve-assign () mitre org
Date: Mon, 22 Aug 2016 16:55:56 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
1/ Shell outbreak due to bad syntax parse - https://github.com/ghantoos/lshell/issues/147 - https://bugs.debian.org/834949
Use CVE-2016-6902.
2/ Shell outbreak with multiline commands - https://github.com/ghantoos/lshell/issues/149 - Fix: https://github.com/ghantoos/lshell/commit/e72dfcd1f258193f9aaea3591ecbdaed207661a0 - https://bugs.debian.org/834946
Use CVE-2016-6903. https://bugs.debian.org/834949 and https://bugs.debian.org/834946 also mention "Command parser in this shell is beyound of recovery." This suggests that other vulnerabilities may be fixed at the same time as issues/147, or that other vulnerabilities may be discovered. In particular, https://github.com/ghantoos/lshell/issues/147#issuecomment-241366750 mentions a different attack methodology. At least for now, https://github.com/ghantoos/lshell/issues/147#issuecomment-241366750 is within the scope of CVE-2016-6902. It is difficult to predict what other CVE IDs may be needed until there is further vendor followup about issues/147. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXu2Z5AAoJEHb/MwWLVhi2yV8P/jYtI8rE7dbkIHDCytF6ligt O586ap6xBzpt0x874jrEZvteWGm1qDmA0JhQsuRa6CAGWRwOy1DweZpppDZ0u3ic 85dT8yQw+9Hz3eJe0G/M3WjSk6m2eeyUGf5N6817UAim/SM+RnNVfPrP+ytBCb5Z tpdXPW+BKJa1/FsSAcQ6+mzkpytPXb8DFdf9Tb82g8rAPZTMNw/beJXaBo4o+Btr ZYOv3QGkpubbak6TWVCI9mmbslekFKrcI7qKYwYAwkON4CUHkXg8/RhbMbLVDzlC sSlvPBiGibzm3uNtuMqkbVAKazrpad/NNwt/ioAVYltDOZjIs7jNPe7Va9YLKcBz 33IVH9QQMQr5CRh5kYgV3coSMRvQfduIIE4I7HxlumlwGJKsvARQ4JiEYhoqrgKv /M1pzohNpg7TBW5RjHuYMZougbHa70tezV2+mtjdb28lB3DrsAafNPa+9R9cE+UB 5fE4Qm7LYRqA4hNtut0OrdEF5zmJL1u8xuVOoj5pUdRDs4A9FL/hT8TEFXsQaknA nXNtI+bqYQxOqE1ZXg40WbN6Z/aeZYSIUXhZ1DdirCGqtEsnD6IJ07kch/QuZsUc Qd1IoN4d6fCfKcObz2AZ4fg+As7ndsmuMapi+VMPff3JZrqakQVroptK1K2gTHY2 92ovu5VQOdGYAvoWVFQR =ICSm -----END PGP SIGNATURE-----
Current thread:
- CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands Salvatore Bonaccorso (Aug 22)
- Re: CVE Request: lshell: shell outbreak vulnerabilities via bad syntax parse and multiline commands cve-assign (Aug 22)