Bug#1021951: man-db: less(1) option injection
On Tue, Oct 18, 2022 at 12:35:53PM +0200, Jakub Wilk wrote: > * Colin Watson , 2022-10-18 00:12: > > https://gitlab.com/cjwatson/man-db/-/commit/09304c00a4a3dea95da5d1f0aa1ad4c20c292f3b > > Unfortunately this isn't quite right. > > The fix broke prompts for man pages that had special characters in their > titles. For example, for apt.conf.5 the prompt looks like this: > > Manual page aptconf(5) line 1 ... [...] > All in all, I think --use-backslash is not worth the trouble. Maybe just > replace dollars with something harmless (say, question marks)? I doubt there > are any non-nefarious use cases for dollars man page titles. OK, I see your point. Done: https://gitlab.com/cjwatson/man-db/-/commit/0d80ec4d5c987acb502a7787240f56e3cec65497 (Sorry for the delay; I've been travelling.) -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#1021951: man-db: less(1) option injection
* Colin Watson , 2022-10-18 00:12: https://gitlab.com/cjwatson/man-db/-/commit/09304c00a4a3dea95da5d1f0aa1ad4c20c292f3b Unfortunately this isn't quite right. The fix broke prompts for man pages that had special characters in their titles. For example, for apt.conf.5 the prompt looks like this: Manual page aptconf(5) line 1 ... It seems you're supposed to do two rounds of escaping: one for the prompt parser (question mark, colon, period, percent, and backslash) and another for the generic option parser (dollar and backslash AGAIN). Another problems is that the user's existing $LESS variable may rely on --use-backslash not being set. I thought you could disable it with -+--use-backslash, but apparently then there's no way to re-enable it: $ LESS='-Psfoobar' less -f /dev/null foo\\bar $ LESS='--use-backslash -Psfoobar' less -f /dev/null foo\bar $ LESS='--use-backslash -+--use-backslash -Psfoobar' less -f /dev/null # so far so good... foo\\bar $ LESS='--use-backslash -+--use-backslash --use-backslash -Psfoobar' less -f /dev/null # huh? foo\\bar All in all, I think --use-backslash is not worth the trouble. Maybe just replace dollars with something harmless (say, question marks)? I doubt there are any non-nefarious use cases for dollars man page titles. I think this is a niche enough case that I don't plan to put work into getting a CVE allocated, backporting fixes, etc. Good call. -- Jakub Wilk
Bug#1021951: man-db: less(1) option injection
Control: tag -1 fixed-upstream On Mon, Oct 17, 2022 at 10:15:08PM +0200, Jakub Wilk wrote: > "$" is a special character in $LESS, but man-db doesn't take care of > neutralizing it. This could be exploited for arbitrary code execution if the > user were tricked to run "man -l" on files with names crafted by the > attacker. Thanks, fixed upstream: https://gitlab.com/cjwatson/man-db/-/commit/09304c00a4a3dea95da5d1f0aa1ad4c20c292f3b (I think this is a niche enough case that I don't plan to put work into getting a CVE allocated, backporting fixes, etc. If somebody else thinks otherwise then they should feel free.) -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#1021951: man-db: less(1) option injection
Package: man-db Version: 2.11.0-1+b1 Tags: security "$" is a special character in $LESS, but man-db doesn't take care of neutralizing it. This could be exploited for arbitrary code execution if the user were tricked to run "man -l" on files with names crafted by the attacker. Proof of concept: $ cp /dev/null $'$+!cowsay pwned\n$+q-P.1' $ man -l ./*.1 !cowsay pwned ___ < pwned > --- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || !done (press RETURN) -- System Information: Architecture: i386 Versions of packages man-db depends on: ii bsdextrautils 2.38.1-1.1+b1 ii bsdmainutils 12.1.7+nmu3 ii groff-base 1.22.4-8 ii debconf1.5.79 ii libc6 2.35-3 ii libgdbm6 1.23-3 ii libpipeline1 1.5.6-3 ii libseccomp22.5.4-1+b1 ii zlib1g 1:1.2.11.dfsg-4.1 Versions of packages man-db suggests: ii apparmor 3.0.7-1+b1 ii groff1.22.4-8 ii less 590-1 -- Jakub Wilk