[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#308783: libxpm4: problems with s_popen (CAN-2004-0914)

Package: libxpm4
Version: 4.3.0.dfsg.1-12
Severity: grave
Justification: may allow access to the accounts of users who use the package

The CAN-2004-0914 patch introduced a s_popen() function as a safe
replacement for popen().  Instead of invoking a shell, it splits
arguments on whitespace and passes the command directly to execvp(3).
However, it doesn't handle quoting or redirection, so code like

  WrFFrI.c:339:       snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
  WrFFrI.c:340:       if (!(mdata->stream.file = s_popen(buf, "w")))

results in a ">" argument and superfluous quotes:

  execve("/bin/gzip", ["gzip", ">", "\"foo.gz\""], [/* 19 vars */])

This completely breaks the transparent compression and decompression.

Furthermore, since gzip processes all arguments regardless of errors, an
attacker can use filenames with whitespace to compress arbitrary files:
(xpmtest taken from <https://bugs.freedesktop.org/show_bug.cgi?id=1920>)

  # ./xpmtest crab.xpm 'fnord -v /etc/hosts.deny fnord.gz'
  w=28, h=28, cpp=2, cols=6, vmask=00000000, hotspot=0,0
  gzip: >: No such file or directory
  gzip: "fnord: No such file or directory
  /etc/hosts.deny:       -50.0% -- replaced with /etc/hosts.deny.gz
  gzip: fnord.gz": No such file or directory

The above would effectively disable TCP wrappers.  The -r option can be
used to compress whole directory trees.

s_popen() also has issues with error handling, signals, and runaway
child processes.  All of this has been fixed in X11R6.8.2, though I
don't think they're aware of the security implications (patches at
<http://ftp.x.org/pub/X11R6.8.1/patches/> are still vulnerable).



Reply to: