Could I get a second opinion (or more than one) from you guys as to whether this is actually an exploitable security problem? I have been talking to Steve Langasek in his capacity as a Release Manager about this, and he says if it's not an exploitable problem, then it's not really a security issue, not really RC, and therefore not deserving of excepting from the freeze. Note that I cloned this bug for stable as #309143, and whatever conclusions are reached here will probably map to that as well. I asked Matej to follow-up with more information about this, and to contact freedesktop.org and/or MITRE for a CAN allocation, but haven't heard anything back from him yet. If there's any more information I can provide, please let me know. ----- Forwarded message from Matej Vela <vela@debian.org> ----- From: Matej Vela <vela@debian.org> To: submit@bugs.debian.org Subject: Bug#308783: libxpm4: problems with s_popen (CAN-2004-0914) Date: Thu, 12 May 2005 12:59:04 +0200 Message-ID: <[🔎] 20050512105900.GP14871@irb.hr> List-Id: <debian-x.lists.debian.org> X-Mailing-List: <debian-x@lists.debian.org> archive/latest/26382 User-Agent: Mutt/1.5.6+20040907i X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: libxpm4 Version: 4.3.0.dfsg.1-12 Severity: grave Justification: may allow access to the accounts of users who use the package The CAN-2004-0914 patch introduced a s_popen() function as a safe replacement for popen(). Instead of invoking a shell, it splits arguments on whitespace and passes the command directly to execvp(3). However, it doesn't handle quoting or redirection, so code like WrFFrI.c:339: snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename); WrFFrI.c:340: if (!(mdata->stream.file = s_popen(buf, "w"))) results in a ">" argument and superfluous quotes: execve("/bin/gzip", ["gzip", ">", "\"foo.gz\""], [/* 19 vars */]) This completely breaks the transparent compression and decompression. Furthermore, since gzip processes all arguments regardless of errors, an attacker can use filenames with whitespace to compress arbitrary files: (xpmtest taken from <https://bugs.freedesktop.org/show_bug.cgi?id=1920>) # ./xpmtest crab.xpm 'fnord -v /etc/hosts.deny fnord.gz' w=28, h=28, cpp=2, cols=6, vmask=00000000, hotspot=0,0 gzip: >: No such file or directory gzip: "fnord: No such file or directory /etc/hosts.deny: -50.0% -- replaced with /etc/hosts.deny.gz gzip: fnord.gz": No such file or directory The above would effectively disable TCP wrappers. The -r option can be used to compress whole directory trees. s_popen() also has issues with error handling, signals, and runaway child processes. All of this has been fixed in X11R6.8.2, though I don't think they're aware of the security implications (patches at <http://ftp.x.org/pub/X11R6.8.1/patches/> are still vulnerable). Thanks, Matej -- To UNSUBSCRIBE, email to debian-x-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org ----- End forwarded message ----- -- G. Branden Robinson | Communism is just one step on the Debian GNU/Linux | long road from capitalism to branden@debian.org | capitalism. http://people.debian.org/~branden/ | -- Russian saying
Attachment:
signature.asc
Description: Digital signature