lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <187375.18838.37571-15238-1550819837-1352912959@seznam.cz>
Date: Wed, 14 Nov 2012 18:09:19 +0100 (CET)
From: Michal Ambroz <rebus@...nam.cz>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, Tim Brown <timb@...nvas.org>,
	Michael Wiegand <michael.wiegand@...enbone.net>
Subject: Re: [oss-security] Re: [OVSA20121112] OpenVAS
	Manager Vulnerable To Command Injection

Hello Jan,

in version 2.0.5 the discussed vulnerable like looks like this:
     command = g_strdup_printf ("/bin/sh %s %s > %s"
                                 " 2> /dev/null",
                                 script,
                                 xml_file,
                                 output_file);

So there is not IP and PORT to be sanitized so 2.0.5 is probably on the safe side of this vulnerability.

If you deem it safer we can bump to current 3.0.x version - I know it is usually nono, but there should be no casualties,
since I sincerely doubt there are _ANY_ openvas users on Fedora distribution (16/17) as half of the openvas suite packages is still under review. 

Mainly the openvas suite doesn't work on current Fedora due to incompatibility between openvas network stack (openvas-libraries) and the gnutls library we have in Fedora.

Best regards
Michal Ambroz 
(one of Fedora openvas-* packagers)




< ------------ Původní zpráva ------------
< Od: Jan Lieskovsky <jlieskov@...hat.com>
< Předmět: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To
< Command Injection
< Datum: 14.11.2012 11:55:09
< ----------------------------------------
< Hello Tim,
< 
<   thank you for the heads up and notification.
< 
< The versions of openvas-manager package, as shipped with Fedora release of 16
< and release of 17 is based on upstream 2.0.5 version yet. From what I have
< looked
< and can tell from upstream advisory and patch (for 3.0.X version):
< [1] http://www.openvas.org/OVSA20121112.html
< [2]
< http://wald.intevation.org/scm/viewvc.php?view=rev&root=openvas&revision=14437
< 
< the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager
< 2.0.5
< version yet:
< [3]
< http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html
< 
< But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package
< versions
< as not vulnerable to this issue, I would like to hear opinion / confirmation
< from someone
< more familiar with OpenVAS code.
< 
< So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version
< (yet)?
< 
< Thank you && Regards, Jan.
< --
< Jan iankko Lieskovsky / Red Hat Security Response Team
< 
< ----- Original Message -----
< Doh, a document gets proof read by multiple people and yet it contains a 
< mistake.  In the Current Status section of the advisory, the date is 
< incorrect.  A corrected advisory is attached.
< 
< Tim
< -- 
< Tim Brown
< <mailto:timb@...nvas,org>
< <http://www.openvas.org/>
< 
< 
< 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ