From owner-freebsd-vuxml@FreeBSD.ORG Tue Feb 22 19:54:43 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F90D16A4CE for ; Tue, 22 Feb 2005 19:54:43 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2A5E43D54 for ; Tue, 22 Feb 2005 19:54:42 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 1AE913E2C47 for ; Tue, 22 Feb 2005 13:54:42 -0600 (CST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id 6C87E600495 for ; Tue, 22 Feb 2005 13:54:41 -0600 (CST) Message-ID: <421B8E01.6060006@FreeBSD.org> Date: Tue, 22 Feb 2005 13:54:41 -0600 From: Jacques Vidrine Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 Thunderbird/1.0 Mnenhy/0.7 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-vuxml@FreeBSD.org X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Fwd: cvs commit: ports/security/vuxml vuln.xml] X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 19:54:43 -0000 > -------- Original Message -------- > Subject: cvs commit: ports/security/vuxml vuln.xml > Date: Tue, 22 Feb 2005 19:27:32 +0000 (UTC) > From: Jacques Vidrine > To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org > > nectar 2005-02-22 19:27:32 UTC [...] > Corrections: > - An invalid UUID was assigned to a FreeRADIUS vulnerability, and went > undetected since last October. (>_<) Correct it. Hi, This is an interesting, if unfortunate, situation. If you are the author of a web site or application that processes VuXML, you should probably be aware of this specific issue. An entry was created with an invalid `vid' attribute. The vid is supposed to be a UUID (see [1] [2]). Unfortunately, this entry apparently suffered mutilation during cut-n-paste: the last character was dropped. I corrected the error by restoring the last character. I know what that character was "supposed to be" by looking at other entries made by the same committer. (^_^) But since the vid is used as a "key" for entries, VuXML parsing applications may need to take special action to purge the old identifier (20dfd134-1d39-11d9-9be9-000c6e8f12e) from their files/databases. Normally when an entry is in error, we can just "cancel" it, but in this case that isn't possible: even a cancellation refers to the vid. If you have any questions about this, please let me know! Oh, I don't expect a repeat in the future. I'm checking for this kind of mistake now, and fairly frequently. I will likely later add a port to "lint" VuXML files, also. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org [1] http://www.opengroup.org/onlinepubs/9629399/apdxa.htm [2] http://www.freebsd.org/cgi/man.cgi?query=uuidgen&sektion=2