pdh11
commented
2 years ago If there is to be a Squirrel responsible-disclosure group, may I @pdh11 be added? Here at Electric Imp (now part of Twilio) we have real customers using the Squirrel interpreter in IoT devices and in the cloud, and potential sandbox escapes are obviously of some concern to us. (We've upstreamed fixes for a few previous issues ourselves.) Even information about this one vulnerability would be useful to us, and obviously we'd keep it embargoed as per the Squirrel project's wishes.
albertodemichelis
simon-scannell-sonarsource
At SonarSource, we are equally driven by studying and understanding real-world vulnerabilities and by helping the open-source community secure their projects. For this reason, we are contacting you regarding a vulnerability in Squirrel Script we found when collaborating with an external researcher, Niklas Breitfeld.
We have detected and verified an Out-Of-Bounds access in Squirrel that we would like to responsibly disclose to help protect users. Please find attached our detailed advisory with the vulnerable code lines, steps to reproduce the issue, and our suggestions regarding its remediation. We will be happy to participate in the patch review process. Unfortunately, an email with vulnerability details bounced. Could you let us know an appropriate email to send vulnerability details to?
GitHub now offers a Security Advisories feature, where we will be able to privately discuss this report, review the patches and automatically assign a CVE identifier during the publication step. If you choose this option, please invite our GitHub accounts @simon-scannell-sonarsource and @brymko to the draft.