Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  1 Aug 2015 13:24:34 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> licensecheck is prone to arbitrary shell command injection via
> shell metacharacters in filenames
> 
> https://bugs.debian.org/794260
> https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Use CVE-2015-5704 for the issue involving shell metacharacters that
was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8.


> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260#8
> 
> (If the variable were expanded by shell, command injection wouldn't be 
> even possible. You could still exploit argument injection, but that's 
> less exciting.)

Yes, but argument injection is within the scope of CVE and seems to be
relevant even in the patched code, i.e.,

  % touch -- -C
  % ln -s /etc/passwd magic.mgc
  % ls -l /etc/passwd
  -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd
  % licensecheck -- *C
  /usr/bin/licensecheck warning: cannot parse file '-C' with mime type ''
  % ls -l /etc/passwd
  -rw-r--r-- 1 0 root 248 Aug  1 13:07 /etc/passwd

In other words, we don't believe it's intentional behavior for
licensecheck to operate on arbitrary files that have '-' at the
beginning of their names, and use these names to construct unsafe
command lines for the file program. The new spawn section perhaps
should begin with

  spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],

instead. Use CVE-2015-5705 for this argument injection vulnerability.

For now, we'll leave the open question of whether the file program
should be following symlinks when creating a magic.mgc file in
response to the -C option. Possibly file was supposed to be resilient
in the face of unsafe directories, e.g., a legitimate user shouldn't
need to be concerned about file overwrites when running "file *" in a
directory where a local attacker has created a -C file and a symlink
named magic.mgc. However, maybe the legitimate user is supposed to
know to type "file -- *" whenever the directory might contain leading
'-' characters in filenames. And maybe the legitimate user who
directly enters -C on the command line actually wants magic.mgc to be
created in the location specified by the symlink. It doesn't seem
possible to decide whether there's a file vulnerability here without
clarification from the author of file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVvP/TAAoJEKllVAevmvmsV0sIAL7zUQZr+qMT+n8fN6mdtroc
wqgwVisSbNv1KfuzjPtQ0NZDLaO83gOs7Mx5HM/dZu/LAErFkfmzZpz+Cw3DYaqt
cPCcwE+hPjylzsHNZYJvQaOzNqrM75tvmAvGRfaBTEiRkiW0fvkYsHr3wVi1VCqu
lE304MuyzKuXNbBHPpM1G+RKWpkgHNmzQ57xGZ9GV+krO3MpkZ+na3wHAlnflBYv
Q5klYBEOke8kvfnAQ2a7SL82sKhRmvNP5h+LS+IMb+Mg0zzTbt6HAqu4lNgWdKlP
gkK3t5EOEwB9fikb6YYaHAxPF46cGgSGZDGakTzO50HfZK8xPv7/9u0qk8e4BhU=
=CXEC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ