There is a format string vulnerability in the handling of the monitor "memory dump" command. If the string to be output contains any % sign, it is interpreted as a command for the output, normally resulting in a crash. Even more sophisticated exploits, like arbitrary code execution on the host machine, are possible. http://www.trikaliotis.net/vicekb/vsa-2004-1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453 http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz
CAN-2004-0453 games : it looks like app-emulation/vice is in your herd... Could you apply the provided patch and bump the ebuild ? Thanks.
vice-1.14-r1.ebuild in CVS with the patch. Go ahead and close.
GLSA drafted: security please review. Note: - Changed the severity to low as a user have to type a specific string for this bug to be exploitable. Referenced advisory also rates severity as low. - CAN-2004-0453 reference is not included as it is still under review.
Yeah, I don't know if it's worth sending out a glsa on this. There is no privilege escalation due to the bug in vice. It's basically the same as telling some noob to run a dangerous command from the command-line.
aervosz and I agree for no GLSA on this one. Closing.
Was it mentioned in the ChangeLog that there was a security fix? From what I have gathered from our users, silently fixing a security flaw, no matter how small, is bad in their eyes. I think it would probably be better to issue a GLSA mentioning the fact that the bug was only exploitable by a user to give privileges of the same user, and therefore of very low severity, but still a GLSA should be issued. After all, there *was* a security bug that has now been resolved. Is that not what a GLSA is for? *grin*
A vulnerability requiring, to be exploited, that you type an esoteric command yourself is not really a vulnerability. It shouldn't have been a security bug in the first place. Otherwise bash and rm are vulnerable too, and should be masked :) If you still disagree, please comment.
You're right. That isn't an "exploit" but rather a simple "bug" in the code.