On Fri, Mar 19, 2004 at 05:13:36PM +0000, Mikhael Goikhman wrote:
> On 19 Mar 2004 16:29:09 +0100, Dominik Vogt wrote:
> >
> > on 1-Jan-2004 You fixed a vulnerability in fvwm-menu-directory.in
> > that allowed an attacker to execute commands with the rights of
> > the fvwm user. I have backported it to 2.4.18, but I'm unsure if
> > the other fvwm-menu* scripts are vulnerable too.
>
> Only fvwm-menu-directory builds a menu from an arbitrary directory
> listing. Others use different methods to obtains the content. Well, if
> someone patches xlock -help output, or breaks into FreshMeat server,
> or
> affects gnome's installation, then theoretically other scripts may be
> problematic too. However it is easier just to patch fvwm and insert
> some
> troyan. Additionally, these other scripts process one input line at
> any
> time, and this line is escaped, so this multi-line problem can't
> appear.
>
> > The fvwm_make_{browse,directory]_menu.sh scripts are definitely
> > vulnerable too. As I don't know how to fix them, should they be
> > removed?
>
> These scripts are not installed, so they are less a problem. Also they
> use "ls | sed" to obtain the listing and not readdir(2).
> It is possible
> that there is some kind of shell escaping vulnerability, but not this
> multi-line vulnerability.
Yes. There was a problem with double quotes in file names. I
solved it by removing the quotes with sed.
> I think they simply produce incorrect menu
> entries if a file name contains end of line char, that's ok.
> P.S. Unfortunately my mouse is killed right now, so I am not very
> workable to test what I said. My fvwm is very usable, but applications
> are usually not designed to work well without mouse. The most missing
> feature is copy-and-paste in terminal, needed for any sane work.
> I managed to lock X when I tried to emulate mouse clicks using
> Shift-NumLock keypad presses... Hopefully I will fix my mouse soon. :)
Q 3.5 in the FAQ describes how to set up the keyboard to simulate
the mouse in XFree.
Ciao
Dominik ^_^ ^_^
--
Visit the official FVWM web page at <URL:http://www.fvwm.org/>.
To unsubscribe from the list, send "unsubscribe fvwm-workers" in the
body of a message to [EMAIL PROTECTED]
To report problems, send mail to [EMAIL PROTECTED]
