Your message dated Sat, 31 Dec 2016 21:02:32 +0000 with message-id <e1cnqnq-0009op...@fasolo.debian.org> and subject line Bug#848132: fixed in most 5.0.0a-2.3+deb8u1 has caused the Debian Bug report #848132, regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: most Version: 5.0.0a-1 Severity: grave Tags: security patch Justification: user security hole Hello, the most pager can automatically open files compressed with gzip, bzip2 and (in Debian) LZMA. This is done using popen() and, in earlier releases of most, it was vulnerable to a shell injection attack. most fixed this in v5.0.0 (released in 2007), but the Debian patch that added LZMA support (bug #466574) remains vulnerable. It is trivial to generate a file with a certain name and content that, when opened with most, runs arbitrary commands in the user's computer. most is also launched by other programs as a pager for text files (example: an e-mail client that needs to open an attachment). If any of those programs generates a temporary file name that can be set by an attacker, then that can be used to break into the user's machine. I don't have any example of such program, however. All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian (and derivatives that include the LZMA patch) are vulnerable (older versions are vulnerable in all distros as I explained earlier). https://security-tracker.debian.org/tracker/CVE-2016-1253 I'm attaching the debdiff with the patch. It simply replaces single quotes with double quotes in the command passed to popen(). Double quotes in the filename are escaped by most in order to prevent this kind of attacks, but this offers no protection if the file name is enclosed in single quotes. Regards, Berto -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages most depends on: ii libc6 2.24-7 ii libslang2 2.3.1-5 most recommends no packages. most suggests no packages. -- no debconf informationdiff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.000000000 +0300 +++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.000000000 +0200 @@ -1,3 +1,12 @@ +most (5.0.0a-2.6) unstable; urgency=high + + * Non-maintainer upload. + * lzma-support.patch: + - Fix CVE-2016-1253 (shell injection attack when opening + lzma-compressed files). + + -- Alberto Garcia <be...@igalia.com> Wed, 14 Dec 2016 14:31:29 +0200 + most (5.0.0a-2.5) unstable; urgency=medium * Non-maintainer upload. diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch --- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.000000000 +0300 +++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.000000000 +0200 @@ -1,3 +1,5 @@ +Index: most-5.0.0a/src/file.c +=================================================================== --- most-5.0.0a.orig/src/file.c +++ most-5.0.0a/src/file.c @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd, @@ -32,13 +34,15 @@ if (cmd != NULL) { +Index: most-5.0.0a/src/file.h +=================================================================== --- most-5.0.0a.orig/src/file.h +++ most-5.0.0a/src/file.h @@ -22,6 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int);
--- End Message ---
--- Begin Message ---Source: most Source-Version: 5.0.0a-2.3+deb8u1 We believe that the bug you reported is fixed in the latest version of most, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 848...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Mako Hill <m...@debian.org> (supplier of updated most package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Dec 2016 16:52:16 -0800 Source: most Binary: most Architecture: source amd64 Version: 5.0.0a-2.3+deb8u1 Distribution: stable-proposed-updates Urgency: high Maintainer: Benjamin Mako Hill <m...@debian.org> Changed-By: Benjamin Mako Hill <m...@debian.org> Description: most - Pager program similar to more and less Closes: 848132 Changes: most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high . * lzma-support.patch: - Fix CVE-2016-1253: shell injection attack when opening lzma-compressed files (Closes: #848132) Checksums-Sha1: 1bbb68c2d040d7594a858840ad9b5a6dab8ffc33 1721 most_5.0.0a-2.3+deb8u1.dsc 7ea9d78c0950c21e5b6f4bf4ffc277f453ab06c0 29882 most_5.0.0a-2.3+deb8u1.diff.gz 4506ddfbf72cfdb1d06338aeaf5fee7005d54572 46456 most_5.0.0a-2.3+deb8u1_amd64.deb Checksums-Sha256: f06480a3595090b78f4488feb14326997c4d446a40bcd9d42827da561c9bf57e 1721 most_5.0.0a-2.3+deb8u1.dsc 5287b1e768b564a0e04bb6ace6b3eca7fac47980b923fdf4f3ff6fd0c20c66e6 29882 most_5.0.0a-2.3+deb8u1.diff.gz ae2fcef37bbcc10b3e27c40ffbb8f51d61d5da6ad6bd74675ef31bf7f4309c14 46456 most_5.0.0a-2.3+deb8u1_amd64.deb Files: 025a30289a109563c8ec225acb680f64 1721 text optional most_5.0.0a-2.3+deb8u1.dsc 5cc6711c7c9a85aee40320703eaba449 29882 text optional most_5.0.0a-2.3+deb8u1.diff.gz 4b6af1825588ee4a9834816160bcca8f 46456 text optional most_5.0.0a-2.3+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE6aJxwHGWSJGqV2Y9nqM0FPWFL04FAlhgQ4wQHG1ha29AZGVi aWFuLm9yZwAKCRCeozQU9YUvTlVsEACmr2xGrClKIWZkqmkEXMIsRYObLnlbTlE1 hLICalNiSAEcDDA7kSclq53ugI0lsTbsDfiOOvJlsqCH9GitWiEo7WCAZvlC5F6S dU10fp0yX9uNpmCOh26tiyHcMZZ05EvB5DN2mnBHbglmsRHHs3gI5GcMRSnmCpL6 c4yNpHIq6e65WGqrXNXxwV6VUOGyYt/IMXM6cJgsO+btZrM0o+zY8B8CwCTqvy+k bHYB7CxcIyY3GsvjWcL4n0e4bwIY04ciygEqIURjd0Uo6lU2RpuPM0aw1J3gSuSK XiXPh61IgFI/98qOV1tNc0cRa7jq3YEuNI11HWlyAhtfXAKI/Bjj+N0J/ZL45bl3 axWLsQ+zdJzn0ulsDwEouXFo6CafH1Kh+KUmZAlSHGDaW29oWuq+0QWtk73yY7t8 HEpy1t+JJ0dqFGnEcMsHqmn0HNmOKZWdMeoTia5It8/3ewhEZge5iKbpfaNWB33F 0A/eaFHNZrP3Ny26rwHrn7qW9DT0SqnkkrB2Tai2icLtR/x9gZg9G3BxxoDVDpEr kyqdrS4cnpBw5SfshPKwuaMIj4q5FiQxxBbHdSJ9D2VfSnMLFlHLahEoZitD6kU4 8XMZkSDwiFcbWp9/IwK66ed9y0abfi+opxdFuAv/gdhhEmSnHO81FszTSVuEimnK s4+iMdDrhQ== =/Vte -----END PGP SIGNATURE-----
--- End Message ---
