nano-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] Vulnerability

From: Joshua Rogers
Subject: Re: [Nano-devel] Vulnerability
Date: Sat, 12 Jan 2013 14:30:47 +1100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
OK.
There is one vulverability, and one bug;

Vuln:
Download: http://124.191.82.19:8012/nn

nano nn

alt control _ 50000 (go to line 50k)

control j
control k
Now let it load.
Now control j again.

And it should segfault.
strace can be found here: http://124.191.82.19:8012/nano.txt
I don't know if it can be used for cmd execution, but yeah.

Bug:

Open a file

alt control underscore 50000000000000000000 (over max intergar)
it will give you: [ Invalid line or column number ]
now that's good, but then if you alt control underscore 20, it will give you that message aswell.
and it will always give you that message until you exit out of nano, and restart it.


Thanks

Joshua Rogers - Retro Game Collector && IT Security Specialist
gpg pubkey
On 12/01/13 14:01, Chris Allegretta wrote:
This one is fine Joshua

On Fri, Jan 11, 2013 at 7:11 PM, Joshua Rogers <address@hidden> wrote:

Which email would be the best to report a vulnerability in GNU Nano?

Thanks


--
Joshua Rogers - Retro Game Collector && IT Security Specialist
gpg pubkey

_______________________________________________
Nano-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/nano-devel

reply via email to
[Prev in Thread] Current Thread [Next in Thread]