Bug 471952 (CVE-2008-5076)

Summary: CVE-2008-5076 htop does not filter non-printable characters in process names
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: maxamillion, rafalzaq, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5076
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-21 21:45:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2008-11-17 20:28:25 UTC 
htop 0.7 writes process names to a terminal without sanitizing
non-printable characters, which might allow local users to hide processes,
modify arbitrary files, or have unspecified other impact via a process name
with "crazy control strings."

http://www.openwall.com/lists/oss-security/2008/11/02/1
http://www.openwall.com/lists/oss-security/2008/11/14/3
http://bugs.debian.org/504144
http://xforce.iss.net/xforce/xfdb/46321
Comment 1 Fedora Update System 2008-11-18 12:30:36 UTC 
htop-0.8.1-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc9
Comment 2 Fedora Update System 2008-11-18 12:30:39 UTC 
htop-0.8.1-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc8
Comment 3 Fedora Update System 2008-11-18 12:30:42 UTC 
htop-0.8.1-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc10
Comment 4 Adam Miller 2008-11-18 15:57:03 UTC 
htop-0.8.1-2 has been built for EPEL (EL-4 and EL-5)
http://buildsys.fedoraproject.org/build-status/job.psp?uid=783
http://buildsys.fedoraproject.org/build-status/job.psp?uid=784
Comment 5 Fedora Update System 2008-11-19 14:50:50 UTC 
htop-0.8.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-11-19 14:56:40 UTC 
htop-0.8.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-11-22 16:47:18 UTC 
htop-0.8.1-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.