Bug#788780: apt-file: diffindex-rred passes arguments to the shell

2015-06-21 Thread Thijs Kinkhorst 
On Sun, June 14, 2015 23:57, brian m. carlson wrote:
> I'm marking this bug as security in case the Security Team wants to
> issue an advisory, although I suspect they will not (or I would have
> notified them directly).

Agreed that although good to fix, this is not something for an advisory.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#788780: apt-file: diffindex-rred passes arguments to the shell

2015-06-14 Thread brian m. carlson 
Package: apt-file
Version: 2.5.4
Severity: normal
Tags: security

diffindex-rred treats its parameters as shell expressions because it
uses two-argument open[0].  For example, invoking

  diffindex-rred '/bin/false |/path/to/malicious/program .gz'

at the shell results in the malicious program being executed.  This is
not what the user expects from a restricted restricted editor.

I'm filing this as a normal bug because it isn't remotely exploitable in
ordinary usage, since patches cannot contain spaces or pipes
(diffindex-download line 296), although one can pass a single option to
the decompressor.  In order to exploit this, one must explicitly call
diffindex-rred with untrusted arguments, and I have no indication it is
actually used outside of apt-file, despite being in $PATH.

In general, one should never use the two-argument form of open, and
several places in the code pass all sorts of things through the shell
that should have no interaction with the shell at all.  I can't find any
that are actually exploitable in typical usage, but I've spent only an
hour looking.  I recommend a thorough audit.

I'm marking this bug as security in case the Security Team wants to
issue an advisory, although I suspect they will not (or I would have
notified them directly).

[0] 
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=76775519

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt-file depends on:
ii  curl   7.42.1-3
ii  libapt-pkg-perl0.1.29+b2
ii  libconfig-file-perl1.50-3
ii  liblist-moreutils-perl 0.410-1
ii  libregexp-assemble-perl0.35-8
ii  perl   5.20.2-6
ii  perl-base [libfile-temp-perl]  5.20.2-6

apt-file recommends no packages.

Versions of packages apt-file suggests:
ii  openssh-client  1:6.7p1-6
ii  sudo1.8.12-1

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature