oss-sec mailing list archives
Re: CVE request: lsyncd command injection
From: cve-assign () mitre org
Date: Thu, 20 Nov 2014 01:55:09 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There is a command injection flaw in lsyncd, a file change monitoring and synchronization daemon: https://github.com/axkibe/lsyncd/issues/220 https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Use CVE-2014-8990. The scope of this CVE ID includes both: 1. code execution with ` characters or other characters that are special to a shell 2. denial of service scenarios in which a user with write access to a local directory uses special characters to make synchronization fail (might have security relevance in some scenarios) The MITRE CVE team does not have a Lua expert. The code change adds: local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') This does not seem to be the typical fix approach for unsafe input to a shell. Has anyone concluded that this is an incomplete fix that ought to be modified before the 2.1.6 release? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUbY53AAoJEKllVAevmvmsovEH/RdJAnkv4IR3AiSZ9RUVjmn7 5U52az+5OPJLx3P3Z7MrEytMirvjrr3/tWYu06FDfOFRgwSc0lbt5DHjr2+dBemw kSsuw7BUc7NBAploOFyX/HEqafSYNs4ykRCKxtYhrnqq9R/pa+E86Ol74lxqqXX+ 0gwKt3j49qrs+t7Ll7QWn3BdnGgtLNjMn0Zh2kgczUnevZ4wY4ssohM5JQXC9ImS IlbXuy0INovx9j1DBplNrGQ07p3ETjH0gcYcucb/MvS6r1RaJXXrrg3bd5CUVEpj kwyDtPrs/LuSj+Gi+wq4xRBpzmXxLoJ2yc4Czg+ch5qFToXx0cu9Zo/LOJB9m9g= =q6u/ -----END PGP SIGNATURE-----
Current thread:
- CVE request: lsyncd command injection Murray McAllister (Nov 18)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)
- Re: Re: CVE request: lsyncd command injection Michael Samuel (Nov 21)
- Re: Re: CVE request: lsyncd command injection Ángel González (Nov 25)
- Re: Re: CVE request: lsyncd command injection Sven Schwedas (Nov 26)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)