[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE id request: htop
From:       Nico Golde <oss-security+ml () ngolde ! de>
Date:       2008-11-15 13:34:07
Message-ID: 20081115133407.GA12851 () ngolde ! de
[Download RAW message or body]


Hi,
* Steven M. Christey <coley@linus.mitre.org> [2008-11-14 19:40]:
> Sorry Jan and Nico, I didn't follow up with you on this.  There were some
> questions about whether this deserved a CVE, since THOUSANDS of programs
> dump output without considering whether they're writing to a terminal...
> or what they're writing to a terminal.

Yes true.

> For example, should the "cat" program become more terminal-aware and avoid
> sending dangerous sequences?  Which of dozens of different terminal types
> should it avoid sending these sequences to?  Should it get a new CVE every
> time it forgets about some other terminal?
> 
> Not to mention "more" and "ls" and "grep" and many others.
> 
> We were forced to flag Apache a number of years ago because it didn't
> filter certain dangerous characters from its logs.  I always felt a bit
> funny about that one.

This is really a cornercase for me too, we decided to treat 
this as a vulnerability but with "unimportant" impact.
Thanks for the id anyway.

Cheers
Nico
ps. Jan, I am not aware of any poc here
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]