Bugtraq mailing list archives

Re: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection


From: Michal Ambroz <rebus () seznam cz>
Date: Wed, 14 Nov 2012 18:09:19 +0100 (CET)

Hello Jan,

in version 2.0.5 the discussed vulnerable like looks like this:
     command = g_strdup_printf ("/bin/sh %s %s > %s"
                                 " 2> /dev/null",
                                 script,
                                 xml_file,
                                 output_file);

So there is not IP and PORT to be sanitized so 2.0.5 is probably on the safe side of this vulnerability.

If you deem it safer we can bump to current 3.0.x version - I know it is usually nono, but there should be no 
casualties,
since I sincerely doubt there are _ANY_ openvas users on Fedora distribution (16/17) as half of the openvas suite 
packages is still under review.

Mainly the openvas suite doesn't work on current Fedora due to incompatibility between openvas network stack 
(openvas-libraries) and the gnutls library we have in Fedora.

Best regards
Michal Ambroz
(one of Fedora openvas-* packagers)




< ------------ Původní zpráva ------------
< Od: Jan Lieskovsky <jlieskov () redhat com>
< Předmět: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To
< Command Injection
< Datum: 14.11.2012 11:55:09
< ----------------------------------------
< Hello Tim,
<
<   thank you for the heads up and notification.
<
< The versions of openvas-manager package, as shipped with Fedora release of 16
< and release of 17 is based on upstream 2.0.5 version yet. From what I have
< looked
< and can tell from upstream advisory and patch (for 3.0.X version):
< [1] http://www.openvas.org/OVSA20121112.html
< [2]
< http://wald.intevation.org/scm/viewvc.php?view=rev&root=openvas&revision=14437
<
< the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager
< 2.0.5
< version yet:
< [3]
< http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html
<
< But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package
< versions
< as not vulnerable to this issue, I would like to hear opinion / confirmation
< from someone
< more familiar with OpenVAS code.
<
< So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version
< (yet)?
<
< Thank you && Regards, Jan.
< --
< Jan iankko Lieskovsky / Red Hat Security Response Team
<
< ----- Original Message -----
< Doh, a document gets proof read by multiple people and yet it contains a
< mistake.  In the Current Status section of the advisory, the date is 
< incorrect.  A corrected advisory is attached.
<
< Tim
< --
< Tim Brown
< <mailto:timb@openvas,org>
< <http://www.openvas.org/>
<
<
<


Current thread: