Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 28 Feb 2012 16:21:20 -0700

On 02/28/2012 03:44 PM, Marcus Meissner wrote:
On Tue, Feb 28, 2012 at 06:56:52PM +0100, Jan Lieskovsky wrote:
I am not fully convinced it needs a CVE.

It basically boils down to the old "logfile with content that might be controlled
by an attacker pasted raw to a terminal" issue.

Aren't these generally covered?

CVE-2010-3928
CVE-2010-2713
CVE-2009-4487

"without sanitizing non-printable characters" and so on.

There is some more control on the person who builds a specific package what is output
thant there usually is in logfiles though.

A rogue server is unlikely, however a malicious packager could echo "bad escape code"
in his build and then ask for help on our IRC channels or mailinglists with package Y on project X.
(anyone can create an account and build packages ... and asking for help is not uncommon)
e.g. with "look at logfile with: 'osc buildlog home:user foopackage standard i586'.)

Ciao, Marcus


-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault