CVE-2017-17514: shell argument injection via crafted URL #70
Comments
|
Hi Benjamin, thanks for letting me know! My guess is that this is a false positive from an automated search for The reference to https://github.com/jcupitt/nip2/blob/master/src/boxes.c#L727 Fetches https://github.com/jcupitt/nip2/blob/master/src/watch.h#L300 In prefs, https://github.com/jcupitt/nip2/blob/master/share/nip2/start/Preferences.ws#L381 And https://github.com/jcupitt/nip2/blob/master/share/nip2/start/Preferences.ws#L740 I'll try submitting a correction, with this issue as evidence. |
|
OK, I've asked for the issue to be closed, request number 434637. I'll update if I hear back. Thanks again! |
|
Hi John, where does the URL argument come from? Is it possible that a malicious workspace could embed a URL with a semicolon and a shell command? |
|
The preferences are kept as a workspace, but it's a special one that nip2 loads directly. |
|
It's true that if an attacker could modify the prefs file (the user's personal one is kept in Does that count as a vulnerability? If they can modify that file, they can modify |
|
I don't think an attack that requires the attacker to modify the prefs file is a meaningful vulnerability, provided that there's no way for a workspace to do that autonomously. I see the CVE entry is now marked DISPUTED. |
Hi John, CVE-2017-17514 showed up today:
Except for the Debian security tracker page, I can find no information about it, so I'm guessing you weren't informed either. 8.4.0 is apparently the last version packaged by Debian, but later nip2 releases also carry the same code.
In case it's useful, there's a form for submitting updates or corrections to CVE records.
The text was updated successfully, but these errors were encountered: