Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  1 Aug 2015 13:24:34 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> licensecheck is prone to arbitrary shell command injection via
> shell metacharacters in filenames
> 
> https://bugs.debian.org/794260
> https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Use CVE-2015-5704 for the issue involving shell metacharacters that
was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8.


> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260#8
> 
> (If the variable were expanded by shell, command injection wouldn't be 
> even possible. You could still exploit argument injection, but that's 
> less exciting.)

Yes, but argument injection is within the scope of CVE and seems to be
relevant even in the patched code, i.e.,

  % touch -- -C
  % ln -s /etc/passwd magic.mgc
  % ls -l /etc/passwd
  -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd
  % licensecheck -- *C
  /usr/bin/licensecheck warning: cannot parse file '-C' with mime type ''
  % ls -l /etc/passwd
  -rw-r--r-- 1 0 root 248 Aug  1 13:07 /etc/passwd

In other words, we don't believe it's intentional behavior for
licensecheck to operate on arbitrary files that have '-' at the
beginning of their names, and use these names to construct unsafe
command lines for the file program. The new spawn section perhaps
should begin with

  spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],

instead. Use CVE-2015-5705 for this argument injection vulnerability.

For now, we'll leave the open question of whether the file program
should be following symlinks when creating a magic.mgc file in
response to the -C option. Possibly file was supposed to be resilient
in the face of unsafe directories, e.g., a legitimate user shouldn't
need to be concerned about file overwrites when running "file *" in a
directory where a local attacker has created a -C file and a symlink
named magic.mgc. However, maybe the legitimate user is supposed to
know to type "file -- *" whenever the directory might contain leading
'-' characters in filenames. And maybe the legitimate user who
directly enters -C on the command line actually wants magic.mgc to be
created in the location specified by the symlink. It doesn't seem
possible to decide whether there's a file vulnerability here without
clarification from the author of file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVvP/TAAoJEKllVAevmvmsV0sIAL7zUQZr+qMT+n8fN6mdtroc
wqgwVisSbNv1KfuzjPtQ0NZDLaO83gOs7Mx5HM/dZu/LAErFkfmzZpz+Cw3DYaqt
cPCcwE+hPjylzsHNZYJvQaOzNqrM75tvmAvGRfaBTEiRkiW0fvkYsHr3wVi1VCqu
lE304MuyzKuXNbBHPpM1G+RKWpkgHNmzQ57xGZ9GV+krO3MpkZ+na3wHAlnflBYv
Q5klYBEOke8kvfnAQ2a7SL82sKhRmvNP5h+LS+IMb+Mg0zzTbt6HAqu4lNgWdKlP
gkK3t5EOEwB9fikb6YYaHAxPF46cGgSGZDGakTzO50HfZK8xPv7/9u0qk8e4BhU=
=CXEC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.