'[oss-security] Re: CVE request: Canto Feed URL Parsing Command Line Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: Canto Feed URL Parsing Command Line Injection
From:       cve-assign () mitre ! org
Date:       2014-11-27 4:10:32
Message-ID: 20141127041032.C88816C004F () smtpvmsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Can I get 2013 CVE for Canto feed URL parsing command line injection
> vulnerability
> 
> Affected versions: All versions prior to v0.9.0
> 
> https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca
> https://bugs.debian.org/731582

>> If a user starts canto and chooses to go to one URL from one feed,
>> canto constructs a sh command line to visit the URL, but it doesn't
>> remove metachars.

Use CVE-2013-7416.

One might also argue that the underlying problem is that
doc/configuration in the Canto distribution tells users to enter
link_handler lines with " quoting, e.g.,

  link_handler("elinks \"%u\"", text=True)

within the user's ~/.canto/conf.py file. This perhaps could have been
addressed either by making the %u value safe before conf.py is
executed, or by telling the user to add other Python code to conf.py
for correct quoting.

In other words, 731582 is a valid vulnerability report because the
reporter is using a quoting approach that exactly matches the vendor's
recommendation. This is not a site-specific report about an error in
one user's ~/.canto/conf.py file.

2817869f98c54975f31e2dd674c1aefa70749cca adds an shlex.quote call --
shlex.quote is found in
https://hg.python.org/cpython/file/tip/Lib/shlex.py and has:

   return "'" + s.replace("'", "'\"'\"'") + "'"

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdqKMAAoJEKllVAevmvms5vgH/jHWLqrfRdv2IO5lgR+MN7sg
95/nlpMv1zQrWFhSExCAIJLVJy4bIAF8SpxjQnTdcJQQlB2ffdni4LK0sD4q2amW
H3xBz5Gf41uNuieZI+PclDSkNr7u1ZsL+4MM5Ye2I5t04Wdm4u2XjQL3Ct5WAvUM
h7yMuQXmdKti9NDIDDf1PXQvmDGlNDoidvZC8v/M1oPsHOuWNfYM6euFC4repFc6
d3IBPb8tPAi8ZxZoSMMEbxDcX5OAzmCxjeaFt3JJy8lB1s4lYoS2YLlSkUI5f2kq
jgCkxYNnSKO4HCXpl4aioG11PG1vLVsbwzZ141y+8vQygIIGz+4KBmSt/E+GzrM=
=mC0o
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic