Bug#848132: marked as done (most: CVE-2016-1253: shell injection attack using LZMA-compressed files)
Your message dated Sat, 31 Dec 2016 21:02:32 + with message-id and subject line Bug#848132: fixed in most 5.0.0a-2.3+deb8u1 has caused the Debian Bug report #848132, regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: most Version: 5.0.0a-1 Severity: grave Tags: security patch Justification: user security hole Hello, the most pager can automatically open files compressed with gzip, bzip2 and (in Debian) LZMA. This is done using popen() and, in earlier releases of most, it was vulnerable to a shell injection attack. most fixed this in v5.0.0 (released in 2007), but the Debian patch that added LZMA support (bug #466574) remains vulnerable. It is trivial to generate a file with a certain name and content that, when opened with most, runs arbitrary commands in the user's computer. most is also launched by other programs as a pager for text files (example: an e-mail client that needs to open an attachment). If any of those programs generates a temporary file name that can be set by an attacker, then that can be used to break into the user's machine. I don't have any example of such program, however. All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian (and derivatives that include the LZMA patch) are vulnerable (older versions are vulnerable in all distros as I explained earlier). https://security-tracker.debian.org/tracker/CVE-2016-1253 I'm attaching the debdiff with the patch. It simply replaces single quotes with double quotes in the command passed to popen(). Double quotes in the filename are escaped by most in order to prevent this kind of attacks, but this offers no protection if the file name is enclosed in single quotes. Regards, Berto -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages most depends on: ii libc6 2.24-7 ii libslang2 2.3.1-5 most recommends no packages. most suggests no packages. -- no debconf information diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.0 +0300 +++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.0 +0200 @@ -1,3 +1,12 @@ +most (5.0.0a-2.6) unstable; urgency=high + + * Non-maintainer upload. + * lzma-support.patch: +- Fix CVE-2016-1253 (shell injection attack when opening + lzma-compressed files). + + -- Alberto Garcia Wed, 14 Dec 2016 14:31:29 +0200 + most (5.0.0a-2.5) unstable; urgency=medium * Non-maintainer upload. diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch --- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.0 +0300 +++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.0 +0200 @@ -1,3 +1,5 @@ +Index: most-5.0.0a/src/file.c +=== --- most-5.0.0a.orig/src/file.c +++ most-5.0.0a/src/file.c @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd, @@ -32,13 +34,15 @@ if (cmd != NULL) { +Index: most-5.0.0a/src/file.h +=== --- most-5.0.0a.orig/src/file.h +++ most-5.0.0a/src/file.h @@ -22,6 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int); --- End Message --- --- Begin Message --- Source: most Source-Version: 5.0.0a-2.3+deb8u1 We believe that the bug you reported is fixed in the latest version of most, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 848...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benj
Bug#848132: marked as done (most: CVE-2016-1253: shell injection attack using LZMA-compressed files)
Your message dated Thu, 15 Dec 2016 03:06:47 + with message-id and subject line Bug#848132: fixed in most 5.0.0a-3 has caused the Debian Bug report #848132, regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: most Version: 5.0.0a-1 Severity: grave Tags: security patch Justification: user security hole Hello, the most pager can automatically open files compressed with gzip, bzip2 and (in Debian) LZMA. This is done using popen() and, in earlier releases of most, it was vulnerable to a shell injection attack. most fixed this in v5.0.0 (released in 2007), but the Debian patch that added LZMA support (bug #466574) remains vulnerable. It is trivial to generate a file with a certain name and content that, when opened with most, runs arbitrary commands in the user's computer. most is also launched by other programs as a pager for text files (example: an e-mail client that needs to open an attachment). If any of those programs generates a temporary file name that can be set by an attacker, then that can be used to break into the user's machine. I don't have any example of such program, however. All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian (and derivatives that include the LZMA patch) are vulnerable (older versions are vulnerable in all distros as I explained earlier). https://security-tracker.debian.org/tracker/CVE-2016-1253 I'm attaching the debdiff with the patch. It simply replaces single quotes with double quotes in the command passed to popen(). Double quotes in the filename are escaped by most in order to prevent this kind of attacks, but this offers no protection if the file name is enclosed in single quotes. Regards, Berto -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages most depends on: ii libc6 2.24-7 ii libslang2 2.3.1-5 most recommends no packages. most suggests no packages. -- no debconf information diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.0 +0300 +++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.0 +0200 @@ -1,3 +1,12 @@ +most (5.0.0a-2.6) unstable; urgency=high + + * Non-maintainer upload. + * lzma-support.patch: +- Fix CVE-2016-1253 (shell injection attack when opening + lzma-compressed files). + + -- Alberto Garcia Wed, 14 Dec 2016 14:31:29 +0200 + most (5.0.0a-2.5) unstable; urgency=medium * Non-maintainer upload. diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch --- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.0 +0300 +++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.0 +0200 @@ -1,3 +1,5 @@ +Index: most-5.0.0a/src/file.c +=== --- most-5.0.0a.orig/src/file.c +++ most-5.0.0a/src/file.c @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd, @@ -32,13 +34,15 @@ if (cmd != NULL) { +Index: most-5.0.0a/src/file.h +=== --- most-5.0.0a.orig/src/file.h +++ most-5.0.0a/src/file.h @@ -22,6 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int); --- End Message --- --- Begin Message --- Source: most Source-Version: 5.0.0a-3 We believe that the bug you reported is fixed in the latest version of most, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 848...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Mako Hill (s