Control: severity -1 normal
Control: tags -1 - security
29.12.2012 15:49, Michael Tokarev wrote:
Source: roxterm
Version: 2.6.5-1
Severity: grave
Tags: security
When trying to click on an URL inside the roxterm window that contains
a single quote ('), the resulting command sent to the shell includes
this quote and is interpreted by the shell, for example:
http://example.com/quote'here
will be handled as
x-www-browser 'http://example.com/quote'here'
In this example, shell will complain that there's no closing quote before
the end of command, but I can guess this can be (ab)used for some more
interesting scenarious, like to spawn commands unexpectedly:
http://example.com/one'foo|bar'two
After trying to exploit this, followed by the code analisis, I found out
that this is not the case.
roxterm indeed constructs the command line in a single string, and adds
single quotes around the URL. But next thing it does is to call
g_shell_parse_argv() on the resulting string, to create argv[] array.
And this is this function - g_shell_parse_argv() from glib - which
complains about unbalanced quotes. No shell or external command run
is actually involved here. So I don't think this issue is exploitable.
The bug is present still, since it errors out on certain URLs instead of
displaying them, but it is not a security issue anymore, as I initially
thought.
Downgrading severity and untagging accordingly.
I think the easiest fix will be to disallow single quotes in URLs just
like double quotes are currently handled (so that a single quote will
be treated as end of URL). Yes, this way it wont be possible to use
URLs with quotes in them, like
http://en.wikipedia.org/wiki/What_we've_got_here_is_(a)_failure_to_communicate
but it's a minor issue in my opinion.
Thanks,
/mjt
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
