lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 11 Oct 2007 18:49:04 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: URI handling as the harbinger of interaction errors

* Steven M. Christey:

> Throughout this whole discussion on URI handling and IE, let's not
> forget that:
>
> 1) ANY technology that uses "handlers" that pass commands and
>    arguments from one process to another, is likely to have these
>    kinds of issues.  Web browsers are just the first to get this kind
>    of attention.  All products that support plugins, whether web-based
>    or not, should be examined for this type of problem.

Uh, the "first" part is not quite true.  There was some discussion about
mailcap entries, and whether you should use %s or '%s' at some time in
the 90s.

> 2) Programs that were formerly assumed to be safe because they were
>    only ever intended to be invoked by a single user, will now become
>    unsafe if they're referenced in a handler.  Think second-order
>    symlink issues as one example, or buffer overflows in command-line
>    arguments for non-setuid programs that are likely to be used in
>    handlers (image converters, anyone?)

Again, we have been though this with *roff, Ghostscript (and its various
front ends), DVI viewers and TeX itself, and many more (and the classic
"unshar", of course).  It's just another round on a different operating
system.

Image viewers are particularly interesting because even if your favorite
and bug-ridden MIME types like image/gif are handled by a (supposedly
patched) mail/web client, chances are that the image viewer recognizes a
GIF image even if it is declared as image/x-xwindowdump, exposing its
vulnerable GIF code.

Powered by blists - more mailing lists