Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  1 Aug 2015 13:24:34 -0400 (EDT)
Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection

Hash: SHA256

> licensecheck is prone to arbitrary shell command injection via
> shell metacharacters in filenames

Use CVE-2015-5704 for the issue involving shell metacharacters that
was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8.

> (If the variable were expanded by shell, command injection wouldn't be 
> even possible. You could still exploit argument injection, but that's 
> less exciting.)

Yes, but argument injection is within the scope of CVE and seems to be
relevant even in the patched code, i.e.,

  % touch -- -C
  % ln -s /etc/passwd magic.mgc
  % ls -l /etc/passwd
  -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd
  % licensecheck -- *C
  /usr/bin/licensecheck warning: cannot parse file '-C' with mime type ''
  % ls -l /etc/passwd
  -rw-r--r-- 1 0 root 248 Aug  1 13:07 /etc/passwd

In other words, we don't believe it's intentional behavior for
licensecheck to operate on arbitrary files that have '-' at the
beginning of their names, and use these names to construct unsafe
command lines for the file program. The new spawn section perhaps
should begin with

  spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],

instead. Use CVE-2015-5705 for this argument injection vulnerability.

For now, we'll leave the open question of whether the file program
should be following symlinks when creating a magic.mgc file in
response to the -C option. Possibly file was supposed to be resilient
in the face of unsafe directories, e.g., a legitimate user shouldn't
need to be concerned about file overwrites when running "file *" in a
directory where a local attacker has created a -C file and a symlink
named magic.mgc. However, maybe the legitimate user is supposed to
know to type "file -- *" whenever the directory might contain leading
'-' characters in filenames. And maybe the legitimate user who
directly enters -C on the command line actually wants magic.mgc to be
created in the location specified by the symlink. It doesn't seem
possible to decide whether there's a file vulnerability here without
clarification from the author of file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ