Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150801172434.746C54D8BEC@smtpvbsrv1.mitre.org>
Date: Sat,  1 Aug 2015 13:24:34 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> licensecheck is prone to arbitrary shell command injection via
> shell metacharacters in filenames
> 
> https://bugs.debian.org/794260
> https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Use CVE-2015-5704 for the issue involving shell metacharacters that
was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8.


> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260#8
> 
> (If the variable were expanded by shell, command injection wouldn't be 
> even possible. You could still exploit argument injection, but that's 
> less exciting.)

Yes, but argument injection is within the scope of CVE and seems to be
relevant even in the patched code, i.e.,

  % touch -- -C
  % ln -s /etc/passwd magic.mgc
  % ls -l /etc/passwd
  -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd
  % licensecheck -- *C
  /usr/bin/licensecheck warning: cannot parse file '-C' with mime type ''
  % ls -l /etc/passwd
  -rw-r--r-- 1 0 root 248 Aug  1 13:07 /etc/passwd

In other words, we don't believe it's intentional behavior for
licensecheck to operate on arbitrary files that have '-' at the
beginning of their names, and use these names to construct unsafe
command lines for the file program. The new spawn section perhaps
should begin with

  spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],

instead. Use CVE-2015-5705 for this argument injection vulnerability.

For now, we'll leave the open question of whether the file program
should be following symlinks when creating a magic.mgc file in
response to the -C option. Possibly file was supposed to be resilient
in the face of unsafe directories, e.g., a legitimate user shouldn't
need to be concerned about file overwrites when running "file *" in a
directory where a local attacker has created a -C file and a symlink
named magic.mgc. However, maybe the legitimate user is supposed to
know to type "file -- *" whenever the directory might contain leading
'-' characters in filenames. And maybe the legitimate user who
directly enters -C on the command line actually wants magic.mgc to be
created in the location specified by the symlink. It doesn't seem
possible to decide whether there's a file vulnerability here without
clarification from the author of file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVvP/TAAoJEKllVAevmvmsV0sIAL7zUQZr+qMT+n8fN6mdtroc
wqgwVisSbNv1KfuzjPtQ0NZDLaO83gOs7Mx5HM/dZu/LAErFkfmzZpz+Cw3DYaqt
cPCcwE+hPjylzsHNZYJvQaOzNqrM75tvmAvGRfaBTEiRkiW0fvkYsHr3wVi1VCqu
lE304MuyzKuXNbBHPpM1G+RKWpkgHNmzQ57xGZ9GV+krO3MpkZ+na3wHAlnflBYv
Q5klYBEOke8kvfnAQ2a7SL82sKhRmvNP5h+LS+IMb+Mg0zzTbt6HAqu4lNgWdKlP
gkK3t5EOEwB9fikb6YYaHAxPF46cGgSGZDGakTzO50HfZK8xPv7/9u0qk8e4BhU=
=CXEC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.