Bug#848132: marked as done (most: CVE-2016-1253: shell injection attack using LZMA-compressed files)
Your message dated Sat, 31 Dec 2016 21:02:32 +
with message-id
and subject line Bug#848132: fixed in most 5.0.0a-2.3+deb8u1
has caused the Debian Bug report #848132,
regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed
files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: most
Version: 5.0.0a-1
Severity: grave
Tags: security patch
Justification: user security hole
Hello,
the most pager can automatically open files compressed with gzip,
bzip2 and (in Debian) LZMA.
This is done using popen() and, in earlier releases of most, it was
vulnerable to a shell injection attack.
most fixed this in v5.0.0 (released in 2007), but the Debian patch
that added LZMA support (bug #466574) remains vulnerable.
It is trivial to generate a file with a certain name and content that,
when opened with most, runs arbitrary commands in the user's computer.
most is also launched by other programs as a pager for text files
(example: an e-mail client that needs to open an attachment). If any
of those programs generates a temporary file name that can be set by
an attacker, then that can be used to break into the user's machine.
I don't have any example of such program, however.
All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
(and derivatives that include the LZMA patch) are vulnerable (older
versions are vulnerable in all distros as I explained earlier).
https://security-tracker.debian.org/tracker/CVE-2016-1253
I'm attaching the debdiff with the patch. It simply replaces single
quotes with double quotes in the command passed to popen(). Double
quotes in the filename are escaped by most in order to prevent this
kind of attacks, but this offers no protection if the file name is
enclosed in single quotes.
Regards,
Berto
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages most depends on:
ii libc6 2.24-7
ii libslang2 2.3.1-5
most recommends no packages.
most suggests no packages.
-- no debconf information
diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog
--- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.0 +0300
+++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.0 +0200
@@ -1,3 +1,12 @@
+most (5.0.0a-2.6) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * lzma-support.patch:
+- Fix CVE-2016-1253 (shell injection attack when opening
+ lzma-compressed files).
+
+ -- Alberto Garcia Wed, 14 Dec 2016 14:31:29 +0200
+
most (5.0.0a-2.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch
--- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.0 +0300
+++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.0 +0200
@@ -1,3 +1,5 @@
+Index: most-5.0.0a/src/file.c
+===
--- most-5.0.0a.orig/src/file.c
+++ most-5.0.0a/src/file.c
@@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd,
@@ -32,13 +34,15 @@
if (cmd != NULL)
{
+Index: most-5.0.0a/src/file.h
+===
--- most-5.0.0a.orig/src/file.h
+++ most-5.0.0a/src/file.h
@@ -22,6 +22,7 @@
#define MOST_MAX_FILES 4096
#define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\""
#define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\""
-+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'"
++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\""
extern void most_reread_file (void);
extern void most_read_to_line (int);
--- End Message ---
--- Begin Message ---
Source: most
Source-Version: 5.0.0a-2.3+deb8u1
We believe that the bug you reported is fixed in the latest version of
most, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benj
Bug#848132: marked as done (most: CVE-2016-1253: shell injection attack using LZMA-compressed files)
Your message dated Thu, 15 Dec 2016 03:06:47 +
with message-id
and subject line Bug#848132: fixed in most 5.0.0a-3
has caused the Debian Bug report #848132,
regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed
files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: most
Version: 5.0.0a-1
Severity: grave
Tags: security patch
Justification: user security hole
Hello,
the most pager can automatically open files compressed with gzip,
bzip2 and (in Debian) LZMA.
This is done using popen() and, in earlier releases of most, it was
vulnerable to a shell injection attack.
most fixed this in v5.0.0 (released in 2007), but the Debian patch
that added LZMA support (bug #466574) remains vulnerable.
It is trivial to generate a file with a certain name and content that,
when opened with most, runs arbitrary commands in the user's computer.
most is also launched by other programs as a pager for text files
(example: an e-mail client that needs to open an attachment). If any
of those programs generates a temporary file name that can be set by
an attacker, then that can be used to break into the user's machine.
I don't have any example of such program, however.
All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
(and derivatives that include the LZMA patch) are vulnerable (older
versions are vulnerable in all distros as I explained earlier).
https://security-tracker.debian.org/tracker/CVE-2016-1253
I'm attaching the debdiff with the patch. It simply replaces single
quotes with double quotes in the command passed to popen(). Double
quotes in the filename are escaped by most in order to prevent this
kind of attacks, but this offers no protection if the file name is
enclosed in single quotes.
Regards,
Berto
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages most depends on:
ii libc6 2.24-7
ii libslang2 2.3.1-5
most recommends no packages.
most suggests no packages.
-- no debconf information
diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog
--- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.0 +0300
+++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.0 +0200
@@ -1,3 +1,12 @@
+most (5.0.0a-2.6) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * lzma-support.patch:
+- Fix CVE-2016-1253 (shell injection attack when opening
+ lzma-compressed files).
+
+ -- Alberto Garcia Wed, 14 Dec 2016 14:31:29 +0200
+
most (5.0.0a-2.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch
--- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.0 +0300
+++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.0 +0200
@@ -1,3 +1,5 @@
+Index: most-5.0.0a/src/file.c
+===
--- most-5.0.0a.orig/src/file.c
+++ most-5.0.0a/src/file.c
@@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd,
@@ -32,13 +34,15 @@
if (cmd != NULL)
{
+Index: most-5.0.0a/src/file.h
+===
--- most-5.0.0a.orig/src/file.h
+++ most-5.0.0a/src/file.h
@@ -22,6 +22,7 @@
#define MOST_MAX_FILES 4096
#define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\""
#define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\""
-+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'"
++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\""
extern void most_reread_file (void);
extern void most_read_to_line (int);
--- End Message ---
--- Begin Message ---
Source: most
Source-Version: 5.0.0a-3
We believe that the bug you reported is fixed in the latest version of
most, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Mako Hill (s
