[Pkg-erlang-devel] Bug#738132: CVE-2014-1693

Moritz Mühlenhoff jmm at inutil.org
Sun Feb 9 01:02:02 UTC 2014


On Sat, Feb 08, 2014 at 11:06:33AM +0400, Sergei Golovan wrote:
> Hi Moritz,
> 
> On Sat, Feb 8, 2014 at 10:01 AM, Sergei Golovan <sgolovan at nes.ru> wrote:
> > Hi Moritz!
> >
> > On Sat, Feb 8, 2014 at 2:52 AM, Moritz Muehlenhoff <jmm at debian.org> wrote:
> >>
> >> Hi,
> >> please see http://seclists.org/oss-sec/2014/q1/163 for details.
> >>
> >> This doesn't warrant a DSA, but can be fixed in a point update.
> >
> > As far as I can see this bug is already reported upstream, but still
> > isn't fixed in GIT. I'll try to prepare a fix myself.
> 
> Looking further, I'm not sure now if it's a security bug at all. It's
> a bug in a client, which accidentally may send several commands into
> the FTP control socket at once instead of one. I wonder why it got CVE
> number?

The attack scenario is written down in the link above:

----
A web server allow users to navigate and download documents. Internally the 
web server connects to a private ftp server using OTP "ftp" module. An 
attacker might take advantage of the vulnerability to execute actions that 
aren't supposed to be exposed. E.g. delete a directory by requesting:
http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs
----

But I agree that it's fairly far-fetched. Hence my comment about not
warranting a DSA. Maybe we can simply queue it up in case there's a
more severe erlang issue affecting wheezy in the future.

Cheers,
        Moritz



More information about the Pkg-erlang-devel mailing list