Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Jun 2010 16:12:58 -0400 (EDT)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: CVE request: feh

Please use CVE-2010-2246



----- "Daniel Friesel" <> wrote:

> Hi,
> there is an arbitrary code execution hole in feh versions <= 1.7 down
> to at
> least 1.3.4 (I didn't check earlier ones).
> When the user uses feh to open a remote file (URL) and uses the
> --wget-timestamp option, feh passe the unescaped URL to a system()
> call.
> So if an attacker can trick the user into opening an image URL
> containing
> shell metacharacters with feh --wget-timestamp, he is able to execute
> arbitrary shell code with the rights of the user executing feh. This
> requires
> the URL to resolve to an existing file, however. Obfuscating the shell
> code
> with HTTP escapes (like %20) does not seem to work, and a redirect
> (via
> tinyurl or similar) to a malicious URL will also have no effect.
> Example:
> remnant /t/feh > ls
> remnant /t/feh > feh --wget-timestamp
> '`touch lol_hax`.jpg'
> /bin/cp: cannot stat `/tmp/feh_011422_bar.jpg': No such file or
> directory
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg does not
> exist - skipping
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg - File does
> not exist
> feh - No loadable images specified.
> Use feh --help for detailed usage information
> remnant /t/feh > ls
> lol_hax
> remnant /t/feh >
> This has been fixed in feh 1.8:
> <>
> Please assign a CVE.
> Thanks,
> Daniel

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.