On Mon, Oct 27, 2008 at 5:03 PM, Nico Golde <[EMAIL PROTECTED]> wrote: > Hi Ludovic, > * Ludovic Rousseau <[EMAIL PROTECTED]> [2008-10-27 16:47]: >> On Mon, Oct 27, 2008 at 1:06 PM, Matthias Wandel <[EMAIL PROTECTED]> wrote: >> > So what is the security vulnerability? >> > >> > You can use it to delete files, but why not just use "rm"? >> >> If I understand correctly we have two problems (from [1]) >> 2 - unsafe temp file creation > > Yes but this is not exactly the same problem like the static > name that was used before. > >> 4 - shell escapes >> >> I think "unsafe temp file creation" is referring to the use of >> unlink() at line 329 of jhead.c. I don't think it is a grave problem. > > Correct. > >> "shell escapes" is more serious since you use system() at line 339 of >> jhead.c without escaping any special characters a file name could >> contain. > > Correct, that is the problem. Crafted file names can execute > commands in the shell. > >> For example if you have a file named "foo.jpg ; rm -rf ~" you could >> make bad things without noticing. >> Yes, you should be stupid to use such a file name. > > All the issues recently released for jhead are not really > important, the problem are non-interactive setups where > jhead is called from scripts. > >> > Unless of course you run it as setuid root, but why would you go out ot >> > your >> > way to do that? >> >> A solution would be to use one of the exec(3) system calls instead of >> system(3). > > Yes or to filter the string.
I may try to implement a filter mechanism. I think the idea is to stop the execution with an error message if a special character is found. What would be the list of normal characters? [a-z][A-Z][0-9][-.]? How to filter file names in UTF-8? with accents or non ASCII characters? An easier solution is to refuse special characters like & and ; but that may not completely solve the problem. I need help here. Bye -- Dr. Ludovic Rousseau -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]