Bug 1077059 (CVE-2014-2527, CVE-2014-2528)
| Summary: | CVE-2014-2527 CVE-2014-2528 kdirstat: insufficient quote escaping leading to arbitrary command execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | chitlesh, kryzhev, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-04-02 02:59:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1077060, 1077061 | ||
| Bug Blocks: | |||
|
Description
Murray McAllister
2014-03-17 06:17:37 UTC
Created k4dirstat tracking bugs for this issue: Affects: fedora-all [bug 1077061] Created kdirstat tracking bugs for this issue: Affects: fedora-19 [bug 1077060] MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects Fedora) MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the Debian report, and fixed via https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp (In reply to Murray McAllister from comment #4) > MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects > Fedora) > > MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the > Debian report, and fixed via > https://bitbucket.org/jeromerobert/k4dirstat/commits/ > 1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp Reference: http://seclists.org/oss-sec/2014/q1/590 Working. I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how to resturn this change. (In reply to Dmitrij S. Kryzhevich from comment #7) > I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how > to resturn this change. Hello, Thanks for looking at this. I have put it back in the summary (there is an "edit" button near the title of the page). For bugs like this one (filed against the Security Response Product), we leave them in the "NEW" state until everywhere is fixed, and don't assign them to people. For the trackers/product specific bugs, such as bug 1077061 and bug 1077060, you can change their state and assign those to yourself. http://seclists.org/oss-sec/2014/q1/590 has some discussion about the issue. I am unsure if there is a patch yet for the use of " characters :( Thanks. I think we could use upstream patch as is ( http://paste.fedoraproject.org/86626/52224521/ ) Gained var "QString expanded" just go to shell in the way it is formatted so there no need to make difference between ' and " in this part of code. Substitution for file/directory name go to the following sting: rm -rf %p There are no any spectial signs here. But still I will run few tests. And one more. It was a suprise for me that there is a new upstream here ( bitbucket.org/jeromerobert/k4dirstat ). Too many mistypes. My bad. Looks like this patch fix all ' and " issues. Will submit as update. k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |