oss-sec mailing list archives
Re: CVE id request: htop
From: Nico Golde <oss-security+ml () ngolde de>
Date: Sat, 15 Nov 2008 14:34:07 +0100
Hi, * Steven M. Christey <coley () linus mitre org> [2008-11-14 19:40]:
Sorry Jan and Nico, I didn't follow up with you on this. There were some questions about whether this deserved a CVE, since THOUSANDS of programs dump output without considering whether they're writing to a terminal... or what they're writing to a terminal.
Yes true.
For example, should the "cat" program become more terminal-aware and avoid sending dangerous sequences? Which of dozens of different terminal types should it avoid sending these sequences to? Should it get a new CVE every time it forgets about some other terminal? Not to mention "more" and "ls" and "grep" and many others. We were forced to flag Apache a number of years ago because it didn't filter certain dangerous characters from its logs. I always felt a bit funny about that one.
This is really a cornercase for me too, we decided to treat this as a vulnerability but with "unimportant" impact. Thanks for the id anyway. Cheers Nico ps. Jan, I am not aware of any poc here -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: htop Nico Golde (Nov 02)
- Re: CVE id request: htop Jan Lieskovsky (Nov 14)
- Re: CVE id request: htop Steven M. Christey (Nov 14)
- Re: CVE id request: htop Nico Golde (Nov 15)
- Re: CVE id request: htop Steven M. Christey (Nov 14)
- Re: CVE id request: htop Jan Lieskovsky (Nov 14)