*** This bug is a security vulnerability *** Public security bug reported:
Hi Dustin, Some recent changes introduced what looks to be a serious problem: http://launchpadlibrarian.net/296647523/base- files_9.6ubuntu7_9.6ubuntu8.diff.gz -SERVER="https://motd.ubuntu.com"; +# White space separated list of 0 to many news services +SERVER="http://motd.ubuntu.com"; [...] + if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then + echo + # At most, 2 lines of at most 80 characters + cat "$NEWS" | tail -n 2 | cut -c -80 This allows any network man-in-the-middle attacker, DNS response forger, or BGP forger, to write 160 raw bytes directly to terminals. The previous version wasn't good (open for abuse by anyone who could trick one of the myriad x.509 Certificate Authorities to mis-issue a certificate) but this version is open for abuse by significantly more attackers. While most terminals are reasonably safe against outright maliciousness this has been a recurring exploitation theme for twenty years, and even what is "safe" for them to display could be wildly confusing to users unfamiliar with maliciously controlled terminals. (And users have wide tastes in terminals, some are fairly brittle.) cat(1) does not do any filtering for 'safe' display of arbitrary inputs. less(1) does, assuming -r is not in LESS environment variable or the less(1) command line. If you wish to keep the pipeline, perhaps tr(1)'s -d flag could be useful. On a related note, is there a reason why the motd.ubuntu.com server can't do HTTPS? Thanks ** Affects: base-files (Ubuntu) Importance: Critical Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1649352 Title: http direct to terminals? Status in base-files package in Ubuntu: Confirmed Bug description: Hi Dustin, Some recent changes introduced what looks to be a serious problem: http://launchpadlibrarian.net/296647523/base- files_9.6ubuntu7_9.6ubuntu8.diff.gz -SERVER="https://motd.ubuntu.com"; +# White space separated list of 0 to many news services +SERVER="http://motd.ubuntu.com"; [...] + if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then + echo + # At most, 2 lines of at most 80 characters + cat "$NEWS" | tail -n 2 | cut -c -80 This allows any network man-in-the-middle attacker, DNS response forger, or BGP forger, to write 160 raw bytes directly to terminals. The previous version wasn't good (open for abuse by anyone who could trick one of the myriad x.509 Certificate Authorities to mis-issue a certificate) but this version is open for abuse by significantly more attackers. While most terminals are reasonably safe against outright maliciousness this has been a recurring exploitation theme for twenty years, and even what is "safe" for them to display could be wildly confusing to users unfamiliar with maliciously controlled terminals. (And users have wide tastes in terminals, some are fairly brittle.) cat(1) does not do any filtering for 'safe' display of arbitrary inputs. less(1) does, assuming -r is not in LESS environment variable or the less(1) command line. If you wish to keep the pipeline, perhaps tr(1)'s -d flag could be useful. On a related note, is there a reason why the motd.ubuntu.com server can't do HTTPS? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1649352/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
