Ok, I have integrated this patch, plus a temp file patch that was submitted, and uploaded it as the head rev copy on the website. The head rev version number has been changed to 2.85.
I have made sure it works under Windows, and done some quick checks under Linux. Let me know if its good for you. Matthias ----- Original Message ----- From: "Bruno De Fraine" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, October 30, 2008 9:31 AM Subject: Re: jhead: CVE-2008-4640, CVE-2008-4641 command injection via filename and insecure file handling > Hello, > > After looking at the documentation of my shell, I propose the > following patch for the command injection problem. (I assume this > works for other Unix shells as well.) > > Demo with some maliciously crafted file names: > > $ ./jhead -cmd "ls &i" foo.jpg* > Cmd:ls "foo.jpg\`date\`" > foo.jpg`date` > Modified: foo.jpg`date` > Cmd:ls "foo.jpg;date" > foo.jpg;date > Modified: foo.jpg;date > Cmd:ls "foo.jpg\";date\"" > foo.jpg";date" > Modified: foo.jpg";date" > Cmd:ls "foo.jpg\$HOME" > foo.jpg$HOME > Modified: foo.jpg$HOME > > Greetings, > Bruno > > > diff -ru jhead-2.84/jhead.c jhead-2.84-mod/jhead.c > --- jhead-2.84/jhead.c 2008-10-04 18:10:35.000000000 +0200 > +++ jhead-2.84-mod/jhead.c 2008-10-30 15:12:15.000000000 +0100 > @@ -293,6 +293,33 @@ > > #endif // MATTHIAS > > + > //-------------------------------------------------------------------------- > +// Escape an argument such that it is interpreted literally by the > shell > +// (returns the number of written characters) > + > //-------------------------------------------------------------------------- > +static int shellescape(char* to, const char* from) > +{ > + int i, j; > + i = j = 0; > + > +// Enclosing characters in double quotes preserves the literal value of > +// all characters within the quotes, with the exception of $, `, and \. > + to[j++] = '"'; > + while(from[i]) > + { > + switch(from[i]) { > + case '"': > + case '$': > + case '`': > + case '\\': > + to[j++] = '\\'; > + default: > + to[j++] = from[i++]; > + } > + } > + to[j++] = '"'; > + return j; > +} > > //-------------------------------------------------------------------------- > // Apply the specified command to the JPEG file. > @@ -316,13 +343,13 @@ > if (ApplyCommand[a] == '&'){ > if (ApplyCommand[a+1] == 'i'){ > // Input file. > - e += sprintf(ExecString+e, "\"%s\"",FileName); > + e += shellescape(ExecString+e, FileName); > a += 1; > continue; > } > if (ApplyCommand[a+1] == 'o'){ > // Needs an output file distinct from the input file. > - e += sprintf(ExecString+e, "\"%s\"",TempName); > + e += shellescape(ExecString+e, TempName); > a += 1; > TempUsed = TRUE; > unlink(TempName);// Remove any pre-existing temp file > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]