Date: Sat, 1 Aug 2015 13:24:34 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > licensecheck is prone to arbitrary shell command injection via > shell metacharacters in filenames > > https://bugs.debian.org/794260 > https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8 Use CVE-2015-5704 for the issue involving shell metacharacters that was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260#8 > > (If the variable were expanded by shell, command injection wouldn't be > even possible. You could still exploit argument injection, but that's > less exciting.) Yes, but argument injection is within the scope of CVE and seems to be relevant even in the patched code, i.e., % touch -- -C % ln -s /etc/passwd magic.mgc % ls -l /etc/passwd -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd % licensecheck -- *C /usr/bin/licensecheck warning: cannot parse file '-C' with mime type '' % ls -l /etc/passwd -rw-r--r-- 1 0 root 248 Aug 1 13:07 /etc/passwd In other words, we don't believe it's intentional behavior for licensecheck to operate on arbitrary files that have '-' at the beginning of their names, and use these names to construct unsafe command lines for the file program. The new spawn section perhaps should begin with spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file], instead. Use CVE-2015-5705 for this argument injection vulnerability. For now, we'll leave the open question of whether the file program should be following symlinks when creating a magic.mgc file in response to the -C option. Possibly file was supposed to be resilient in the face of unsafe directories, e.g., a legitimate user shouldn't need to be concerned about file overwrites when running "file *" in a directory where a local attacker has created a -C file and a symlink named magic.mgc. However, maybe the legitimate user is supposed to know to type "file -- *" whenever the directory might contain leading '-' characters in filenames. And maybe the legitimate user who directly enters -C on the command line actually wants magic.mgc to be created in the location specified by the symlink. It doesn't seem possible to decide whether there's a file vulnerability here without clarification from the author of file. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVvP/TAAoJEKllVAevmvmsV0sIAL7zUQZr+qMT+n8fN6mdtroc wqgwVisSbNv1KfuzjPtQ0NZDLaO83gOs7Mx5HM/dZu/LAErFkfmzZpz+Cw3DYaqt cPCcwE+hPjylzsHNZYJvQaOzNqrM75tvmAvGRfaBTEiRkiW0fvkYsHr3wVi1VCqu lE304MuyzKuXNbBHPpM1G+RKWpkgHNmzQ57xGZ9GV+krO3MpkZ+na3wHAlnflBYv Q5klYBEOke8kvfnAQ2a7SL82sKhRmvNP5h+LS+IMb+Mg0zzTbt6HAqu4lNgWdKlP gkK3t5EOEwB9fikb6YYaHAxPF46cGgSGZDGakTzO50HfZK8xPv7/9u0qk8e4BhU= =CXEC -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ