URL:
<https://savannah.gnu.org/bugs/?55557>
Summary: gropdf can execute arbitrary commands
Project: GNU troff
Submitted by: deri
Submitted on: Wed 23 Jan 2019 03:59:31 PM UTC
Category: Device gropdf
Severity: 4 - Important
Item Group: Warning/Suspicious behaviour
Status: Confirmed
Privacy: Public
Assigned to: deri
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Vincent Lefevre has reported this security problem on the debian bug
tracker:-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
So I am opening this bug here. It has been discussed on the groff mailing
list, here:-
http://lists.gnu.org/archive/html/groff/2019-01/msg00024.html
The problem is explained as:-
"... but providing a "filename" with a pipe character can yield an
arbitrary command execution:
$ touch foo
$ ls foo
foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory
$
The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". "
Colin Watson has suggested including code to "clean" the the arguments passed
on the gropdf command line. He has also identified other perl scripts which
may have a similar problem:-
$ find -name \*.pl | xargs grep -- '<>'
./src/devices/gropdf/gropdf.pl:while (<>)
./src/devices/gropdf/gropdf.pl: my $lin=<>;
./tmac/hyphenex.pl:while (<>) {
./contrib/gpinyin/gpinyin.pl:foreach (<>) { # get line from input
./contrib/gperl/gperl.pl:foreach (<>) {
./contrib/glilypond/glilypond.pl: LILYPOND: foreach (<>) {
./contrib/glilypond/glilypond.pl: } # end foreach <>
I shall look at ways of blocking this behaviour.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?55557>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
_______________________________________________
bug-groff mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-groff
