Bug#884923: abiword: CVE-2017-17529

To: 884923@bugs.debian.org
Subject: Bug#884923: abiword: CVE-2017-17529
From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
Date: Sun, 27 May 2018 22:54:06 +0200
Message-id: <[🔎] adc48a44-598b-215f-a846-498eab5b316b@enst-bretagne.fr>
Reply-to: Gabriel Corona <gabriel.corona@enst-bretagne.fr>, 884923@bugs.debian.org
References: <151386093073.14781.10410668693912453622.reportbug@eldamar.local>

Hi,

Are you sure this is vulnerable ? I did not manage to trigger anything
problematic.

The code referenced is (in fallback_open_uri):


gint    argc;
gchar **argv = NULL;
char   *cmd_line = g_strconcat (browser, " %1", NULL);

if (g_shell_parse_argv (cmd_line, &argc, &argv, err)) {
  /* check for '%1' in an argument and substitute the url
   * otherwise append it */
  gint i;
  char *tmp;

  for (i = 1 ; i < argc ; i++)
    if (NULL != (tmp = strstr (argv[i], "%1"))) {
      *tmp = '\0';
      tmp = g_strconcat (argv[i],
        (clean_url != NULL) ? (char const *)clean_url : url,
        tmp+2, NULL);
      g_free (argv[i]);
      argv[i] = tmp;
      break;
    }

  /* there was actually a %1, drop the one we added */
  if (i != argc-1) {
    g_free (argv[argc-1]);
    argv[argc-1] = NULL;
  }
  g_spawn_async (NULL, argv, NULL, G_SPAWN_SEARCH_PATH,
    NULL, NULL, NULL, err);
  g_strfreev (argv);
}
g_free (cmd_line);


This seems correct with respect to injection through the URI:
the URI string cannot be expanded into multiple arguments
and is not passed to `system()`.

-- 
Gabriel

Reply to:

Prev by Date: bugz_0.10.1-7_source.changes ACCEPTED into unstable
Next by Date: Processing of freelan_2.0-7_source.changes
Previous by thread: bugz_0.10.1-7_source.changes ACCEPTED into unstable
Next by thread: Processing of freelan_2.0-7_source.changes
Index(es):
- Date
- Thread