Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 14 Jun 2021 12:12:56 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: xscreensaver: filename command injection in vidwhacker screensaver

The "vidwhacker" screensaver in xscreensaver does not properly escape
filenames of input images, allowing command injection via filenames.

The autor of xscreensaver considers this a non-issue.

xscreensaver contains a screensaver called "vidwhacker" which uses
image files as an input and passes them to various command line tools
for decoding. A user can configure a directory with images.

The filenames are passed to the command line tools without any
escaping. This allows injecting commands, e.g. via subshells.

PoC:
* Create a dir with a file named '$(touch pwn).png'
* Run xscreensaver-demo, configure the vidwhacker directory to above
  dir and run preview.
* File "pwn" gets created.

I believe this is a low risk security issue. A possible attack
scenario would be e.g. someone providing an image collection to a
victim which is large enough that an unusual filename wouldn't be noted.

The author of xscreensaver disagrees and wrote me he considers this a
non-issue.

-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.