On Fri, Mar 15, 2013 at 06:58:42AM +0100, Florian Zumbiehl wrote: > Remove (load)ing of ./.csirc on csi startup as it can lead to execution of > untrusted code.
This is pretty serious. I'll request a CVE and issue an advisory shortly, once this patch has gone in. Attached is a slightly improved patch which just ignores HOME if it's empty, as that's a little friendlier (it's not serious if HOME is empty and it can be easily recovered from). I've also added a note to NEWS. I nominate this patch for inclusion into the stability branch. > --- > > I think a replacement mechanism is not necessary, anyone who wants the old > behaviour can just add appropriate code to their ~/.csirc. > > The TOCTOU sporadic failure bug I have left in as I don't have a clue how > to fix that. I'm assuming you are talking about the check whether ~/.csirc exists before invoking LOAD on it. If there's some other TOCTOU bug, please be a little more verbose. Maybe this could be treated by catching an exception? OTOH, it shouldn't matter much, as the only one who should have access to ~/.csirc is the user himself. Cheers, Peter -- http://www.more-magic.net
>From 526db30546d45f71591043b884b8d3ea25c673db Mon Sep 17 00:00:00 2001 From: Florian Zumbiehl <[email protected]> Date: Fri, 15 Mar 2013 06:58:42 +0100 Subject: [PATCH] csi: fix untrusted code execution by (load)ing ./.csirc Remove (load)ing of ./.csirc on csi startup as it can lead to execution of untrusted code. Signed-off-by: Peter Bex <[email protected]> --- NEWS | 4 ++++ csi.scm | 12 +++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 4023338..c21c7cf 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,9 @@ 4.8.2 +- Security fixes + - ./.csirc is no longer loaded from the current directory upon startup of csi, + which could lead to untrusted code execution. (thanks to Florian Zumbiehl) + - Tools - csc: added "-oi"/"-ot" options as alternatives to "-emit-inline-file" and "-emit-type-file", respectively; "-n" has been deprecated. diff --git a/csi.scm b/csi.scm index b2b9f24..55a2ce8 100644 --- a/csi.scm +++ b/csi.scm @@ -1019,13 +1019,11 @@ EOF (cons (cadr p) (loop (cddr p)))) ) ] [else '()] ) ) ) (define (loadinit) - (let ([fn (##sys#string-append "./" init-file)]) - (if (file-exists? fn) - (load fn) - (let* ([prefix (chop-separator (or (get-environment-variable "HOME") "."))] - [fn (string-append prefix "/" init-file)] ) - (when (file-exists? fn) - (load fn) ) ) ) ) ) + (and-let* ((home (get-environment-variable "HOME")) + ((not (string=? home "")))) + (let ((fn (string-append (chop-separator home) "/" init-file))) + (when (file-exists? fn) + (load fn) ) ) ) ) (define (evalstring str #!optional (rec (lambda _ (void)))) (let ((in (open-input-string str))) (do ([x (read in) (read in)]) -- 1.7.12
_______________________________________________ Chicken-hackers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-hackers
