Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  1 Aug 2015 13:24:34 -0400 (EDT)
Subject: Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection

Hash: SHA256

> licensecheck is prone to arbitrary shell command injection via
> shell metacharacters in filenames

Use CVE-2015-5704 for the issue involving shell metacharacters that
was fixed in c0687bcde23108dd42e146573c368b6905e6b8e8.

> (If the variable were expanded by shell, command injection wouldn't be 
> even possible. You could still exploit argument injection, but that's 
> less exciting.)

Yes, but argument injection is within the scope of CVE and seems to be
relevant even in the patched code, i.e.,

  % touch -- -C
  % ln -s /etc/passwd magic.mgc
  % ls -l /etc/passwd
  -rw-r--r-- 1 root root 1388 Jul 16 14:47 /etc/passwd
  % licensecheck -- *C
  /usr/bin/licensecheck warning: cannot parse file '-C' with mime type ''
  % ls -l /etc/passwd
  -rw-r--r-- 1 0 root 248 Aug  1 13:07 /etc/passwd

In other words, we don't believe it's intentional behavior for
licensecheck to operate on arbitrary files that have '-' at the
beginning of their names, and use these names to construct unsafe
command lines for the file program. The new spawn section perhaps
should begin with

  spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],

instead. Use CVE-2015-5705 for this argument injection vulnerability.

For now, we'll leave the open question of whether the file program
should be following symlinks when creating a magic.mgc file in
response to the -C option. Possibly file was supposed to be resilient
in the face of unsafe directories, e.g., a legitimate user shouldn't
need to be concerned about file overwrites when running "file *" in a
directory where a local attacker has created a -C file and a symlink
named magic.mgc. However, maybe the legitimate user is supposed to
know to type "file -- *" whenever the directory might contain leading
'-' characters in filenames. And maybe the legitimate user who
directly enters -C on the command line actually wants magic.mgc to be
created in the location specified by the symlink. It doesn't seem
possible to decide whether there's a file vulnerability here without
clarification from the author of file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.