[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE or not: 2x grml-debootstrap
From: cve-assign () mitre ! org
Date: 2015-01-27 18:14:04
Message-ID: Pine.LNX.4.64.1501271310560.11165 () beijing ! mitre ! org
[Download RAW message or body]
> I recently ran into two bugs in grml-debootstrap, documented in detail
> at the following GitHub issues.
>
>
> 1) For the first
>
> Issues with sourcing cmdlineopts.clp from current working directory
> https://github.com/grml/grml-debootstrap/issues/59
>
> I am rather clear about exploitability.
> Please review the proposed approach for a fix.
Use CVE-2015-1378.
>
> 2) For the second
>
> Lack of user input escaping / use of $!`"\ in passwords
> https://github.com/grml/grml-debootstrap/issues/58
>
> I still wonder about realistic exploitation scenarios. Since the tool
> is usually executed by root or using sudo, input from a non-root user
> would need to make its way into the command line, unfiltered or filtered
> insufficiently.
A CVE will not be assigned at this time.
> It could either be a service like
>
> live-build
> http://cgi.build.live-systems.org/cgi-bin/live-build
>
> (they don't call grml-debootstrap, if the code is [2])
> or a sudoers config like
>
> user23 ALL=(ALL) NOPASSWD: /usr/sbin/grml-debootstrap \
> --password * .....
>
> though I am note sure how much of a likely setup that is.
>
> Other ideas on scenarios?
> Also, please review my proposal on escaping.
>
> Thanks and best,
>
>
>
> Sebastian
>
>
> [1] https://github.com/grml/grml-debootstrap
> [2] https://packages.debian.org/de/wheezy/live-build
---
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic