[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution
From:       Eduardo Tongson <propolice () gmail ! com>
Date:       2014-04-22 7:46:48
Message-ID: CANDc0N+RU6oJ0aDYUGGB6o9AQCD9HODEX58+r838Kzf3Ly=mPw () mail ! gmail ! com
[Download RAW message or body]

On Tue, Apr 22, 2014 at 12:11 PM,  <cve-assign@mitre.org> wrote:
> ...
> Use CVE-2014-2913.
>
>

Thanks.

> We have not seen additional comments about whether \r would prevent an
> alternate attack approach. If it does, a separate CVE ID would be
> assigned. We do not know of a version of Bash in which \r separates
> commands in the same way that \n does. For example:
>
>   % /bin/bash -c "`echo -e "echo a\x0aecho b"`" | cat -v
>   a
>   b
>   % /bin/bash -c "`echo -e "echo a\x0decho b"`" | cat -v
>   a^Mecho b
>

Agreed. It's pointless to add a bunch of characters to a blacklist if
they do not have any effect.
[prev in list] [next in list] [prev in thread] [next in thread]