[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: joe: Potential security risk: control characters in filenames are printed without filtering.


Since one security issue has been fixed in joe very recently, I parsed
its bug list a bit and noticed another fishy thing.

On 7 Aug 1999, which was 1 year and 112 days ago (incredible, isn't it),
Andras Korn wrote:
> if you create a file named ^G (ctrl-g) and open it in joe, you will hear a
> beep as the status line is updated; you will also hear it upon exit, when
> joe prints the message about not updating the file because it was not
> changed.

I can reproduce it, joe ^V^G and it beeps when (in)appropriate.

> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to open that file in joe
> (perhaps inadvertently; e.g. by using the TAB completion of many shells, or
> from a graphical user interface).
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.

It seems these messages are made with stuff like

  sprintf(msgbuf,"File %.60s saved",s);

(BTW originally the %.60s was %s, Dale patched it)

How big a risk is this, can you security people advise me please?

> This potentially affects many other packages as well. grep is also
> vulnerable; I will post a separate report for that package, but currently
> I don't have the time to check any others.

If I run `grep -l foo' on a file called ^G, it will beep. FWIW.

Digital Electronic Being Intended for Assassination and Nullification

Reply to: