Bug#854585: evilvte: Allows executing (unexpected) commands via mouse-clicks

Wed, 08 Feb 2017 05:09:36 -0800 

Package: evilvte
Version: 0.5.1-1
Severity: important
Tags: security

Dear Maintainer,

Although a terminal is designed to execute commands it is unexpected
that clicking on hyperlinks would execute arbitrary code, and
unfortunately that is trivially possible.

Consider the following hyperlink:

   http://example.com';touch$IFS/tmp/blah'

If that is displayed in the shell it will be highlighted, completely,
and clicking upon it will do two things:

* open http://example.com/ in the users' browser (firefox).
* Create the file /tmp/blah

This comes from one of several regions of the code:


        g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", 
MATCH_STRING_L, matched_url);
      system(new_window_str);

Or:

      char new_window_str[256];
      if (event->button == 2)
        g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", 
MATCH_STRING_M, matched_url);
      system(new_window_str);

An evil attacker could use this to send a link by email, which would
be displayed via mutt/lumail/rmail/etc, and thus the user would click
upon it.

Mitigating factors: The string is capped to 240 characters or so, once
you remove "firefix '...'&" from the string.  So if a user has a
sufficiently wide terminal they might be OK ;)

Finally there is a simpler way opening a new window could also do evil things,
due to the use of `default_directory`:

        g_snprintf(new_window_str, sizeof(new_window_str), "cd '%s' ; %s &", 
default_directory, PROGRAM_NAME);
        system(new_window_str);


I'd suggest a decent audit of all uses of `system` to catch these flaws, but
I'd expect both of these flaws would qualify for CVE identifiers ..


-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages evilvte depends on:
ii  libc6         2.19-18+deb8u7
ii  libglib2.0-0  2.42.1-1+b1
ii  libgtk2.0-0   2.24.25-3+deb8u1
ii  libvte9       1:0.28.2-5

evilvte recommends no packages.

evilvte suggests no packages.

-- no debconf information

Reply via email to