oss-sec mailing list archives
Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status
From: Marcus Meissner <meissner () suse de>
Date: Wed, 29 Feb 2012 17:01:33 +0100
On Tue, Feb 28, 2012 at 04:21:20PM -0700, Kurt Seifried wrote:
On 02/28/2012 03:44 PM, Marcus Meissner wrote:On Tue, Feb 28, 2012 at 06:56:52PM +0100, Jan Lieskovsky wrote: I am not fully convinced it needs a CVE. It basically boils down to the old "logfile with content that might be controlled by an attacker pasted raw to a terminal" issue.Aren't these generally covered? CVE-2010-3928 CVE-2010-2713 CVE-2009-4487 "without sanitizing non-printable characters" and so on.
Hmm yes. So I would say yes to a CVE id. Please assign.
There is some more control on the person who builds a specific package what is output thant there usually is in logfiles though. A rogue server is unlikely, however a malicious packager could echo "bad escape code" in his build and then ask for help on our IRC channels or mailinglists with package Y on project X. (anyone can create an account and build packages ... and asking for help is not uncommon) e.g. with "look at logfile with: 'osc buildlog home:user foopackage standard i586'.)
Ciao, Marcus
Current thread:
- CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Jan Lieskovsky (Feb 28)
- Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Marcus Meissner (Feb 28)
- Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Kurt Seifried (Feb 28)
- Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Marcus Meissner (Feb 29)
- Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Kurt Seifried (Mar 01)
- Re: Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Kurt Seifried (Feb 28)
- Re: CVE Request (minor) -- osc: Improper sanitization of terminal emulator escape sequences when displaying build log and build status Marcus Meissner (Feb 28)