[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [oss-security] CVE Request: Planeshift buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
On 05/17/2012 09:53 PM, Andres Gomez wrote:
> Hi kurt,
> The fact that only local user can modify program files doesn't
> mean there is no security risk, there are a lot of examples but
> look at this:
That's a very different scenario than this one as I understand it.
TORCS actually has a realistic requirement for using TORCS files
supplied by the user (that are downloaded from remote sites/etc.).
> this is very similar, only local user can modify software files,
> but as defined by Mitre this bug "allows user-assisted remote
> attackers to execute arbitrary code", because an attacker can
> deceive a user to download and use a specially crafted file. I
> accept the fact that "chatbubbles.xml" being a configuration file
> makes it harder to be replaced, but still there is a risk.
In the case of Planeshift the chatbubbles.xml is not supplied by the
user, it comes with the program and is installed into a system
directory. This is very different from the TORCS situation. If you can
convince a user to start replacing system config files than almost
every program needs a CVE by that definition (I can think of a few
hundred programs on Linux that have config files that result in other
programs/script/commands being run that can be easily obfuscated to do
Steven: comments, do you think this needs a CVE?
> Thanks for the feedback,
> Andres Gomez
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----