Date: Mon, 14 Jun 2021 12:12:56 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: xscreensaver: filename command injection in vidwhacker screensaver The "vidwhacker" screensaver in xscreensaver does not properly escape filenames of input images, allowing command injection via filenames. The autor of xscreensaver considers this a non-issue. xscreensaver contains a screensaver called "vidwhacker" which uses image files as an input and passes them to various command line tools for decoding. A user can configure a directory with images. The filenames are passed to the command line tools without any escaping. This allows injecting commands, e.g. via subshells. PoC: * Create a dir with a file named '$(touch pwn).png' * Run xscreensaver-demo, configure the vidwhacker directory to above dir and run preview. * File "pwn" gets created. I believe this is a low risk security issue. A possible attack scenario would be e.g. someone providing an image collection to a victim which is large enough that an unusual filename wouldn't be noted. The author of xscreensaver disagrees and wrote me he considers this a non-issue. -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.