Date: Sat, 1 Aug 2015 13:24:34 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > licensecheck is prone to arbitrary shell command injection via > shell metacharacters in filenames > > https://bugs.debian.org/794260 > https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8 Use CVE-2015-5704 for the issue involving shell metacharacters that was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260#8 > > (If the variable were expanded by shell, command injection wouldn't be > even possible. You could still exploit argument injection, but that's > less exciting.) Yes, but argument injection is within the scope of CVE and seems to be relevant even in the patched code, i.e., % touch -- -C % ln -s /etc/passwd magic.mgc % ls -l /etc/passwd -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd % licensecheck -- *C /usr/bin/licensecheck warning: cannot parse file '-C' with mime type '' % ls -l /etc/passwd -rw-r--r-- 1 0 root 248 Aug 1 13:07 /etc/passwd In other words, we don't believe it's intentional behavior for licensecheck to operate on arbitrary files that have '-' at the beginning of their names, and use these names to construct unsafe command lines for the file program. The new spawn section perhaps should begin with spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file], instead. Use CVE-2015-5705 for this argument injection vulnerability. For now, we'll leave the open question of whether the file program should be following symlinks when creating a magic.mgc file in response to the -C option. Possibly file was supposed to be resilient in the face of unsafe directories, e.g., a legitimate user shouldn't need to be concerned about file overwrites when running "file *" in a directory where a local attacker has created a -C file and a symlink named magic.mgc. However, maybe the legitimate user is supposed to know to type "file -- *" whenever the directory might contain leading '-' characters in filenames. And maybe the legitimate user who directly enters -C on the command line actually wants magic.mgc to be created in the location specified by the symlink. It doesn't seem possible to decide whether there's a file vulnerability here without clarification from the author of file. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVvP/TAAoJEKllVAevmvmsV0sIAL7zUQZr+qMT+n8fN6mdtroc wqgwVisSbNv1KfuzjPtQ0NZDLaO83gOs7Mx5HM/dZu/LAErFkfmzZpz+Cw3DYaqt cPCcwE+hPjylzsHNZYJvQaOzNqrM75tvmAvGRfaBTEiRkiW0fvkYsHr3wVi1VCqu lE304MuyzKuXNbBHPpM1G+RKWpkgHNmzQ57xGZ9GV+krO3MpkZ+na3wHAlnflBYv Q5klYBEOke8kvfnAQ2a7SL82sKhRmvNP5h+LS+IMb+Mg0zzTbt6HAqu4lNgWdKlP gkK3t5EOEwB9fikb6YYaHAxPF46cGgSGZDGakTzO50HfZK8xPv7/9u0qk8e4BhU= =CXEC -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.