most: CVE-2016-1253: shell injection attack using LZMA-compressed files

Debian Bug report logs - #848132
most: CVE-2016-1253: shell injection attack using LZMA-compressed files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alberto Garcia <berto@igalia.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: most is vulnerable to a shell injection attack using LZMA-compressed files

Date: Wed, 14 Dec 2016 14:49:44 +0200

[Message part 1 (text/plain, inline)]

Package: most
Version: 5.0.0a-1
Severity: grave
Tags: security patch
Justification: user security hole

Hello,

the most pager can automatically open files compressed with gzip,
bzip2 and (in Debian) LZMA.

This is done using popen() and, in earlier releases of most, it was
vulnerable to a shell injection attack.

most fixed this in v5.0.0 (released in 2007), but the Debian patch
that added LZMA support (bug #466574) remains vulnerable.

It is trivial to generate a file with a certain name and content that,
when opened with most, runs arbitrary commands in the user's computer.

most is also launched by other programs as a pager for text files
(example: an e-mail client that needs to open an attachment). If any
of those programs generates a temporary file name that can be set by
an attacker, then that can be used to break into the user's machine.
I don't have any example of such program, however.

All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
(and derivatives that include the LZMA patch) are vulnerable (older
versions are vulnerable in all distros as I explained earlier).

   https://security-tracker.debian.org/tracker/CVE-2016-1253

I'm attaching the debdiff with the patch. It simply replaces single
quotes with double quotes in the command passed to popen(). Double
quotes in the filename are escaped by most in order to prevent this
kind of attacks, but this offers no protection if the file name is
enclosed in single quotes.

Regards,

Berto

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages most depends on:
ii  libc6      2.24-7
ii  libslang2  2.3.1-5

most recommends no packages.

most suggests no packages.

-- no debconf information

[most.debdiff (text/x-diff, attachment)]

Message #12 received at 848132@bugs.debian.org (full text, mbox, reply):

From: "Benj. Mako Hill" <mako@atdot.cc>

To: Alberto Garcia <berto@igalia.com>

Cc: 848132@bugs.debian.org

Subject: Re: Bug#848132: most is vulnerable to a shell injection attack using LZMA-compressed files

Date: Wed, 14 Dec 2016 18:07:59 -0800

[Message part 1 (text/plain, inline)]

Thanks for this. I'll upload a patch for the version in unstable right
away.

Later,
Mako


<quote who="Alberto Garcia" date="Wed, Dec 14, 2016 at 02:49:44PM +0200">
> Package: most
> Version: 5.0.0a-1
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> Hello,
> 
> the most pager can automatically open files compressed with gzip,
> bzip2 and (in Debian) LZMA.
> 
> This is done using popen() and, in earlier releases of most, it was
> vulnerable to a shell injection attack.
> 
> most fixed this in v5.0.0 (released in 2007), but the Debian patch
> that added LZMA support (bug #466574) remains vulnerable.
> 
> It is trivial to generate a file with a certain name and content that,
> when opened with most, runs arbitrary commands in the user's computer.
> 
> most is also launched by other programs as a pager for text files
> (example: an e-mail client that needs to open an attachment). If any
> of those programs generates a temporary file name that can be set by
> an attacker, then that can be used to break into the user's machine.
> I don't have any example of such program, however.
> 
> All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
> (and derivatives that include the LZMA patch) are vulnerable (older
> versions are vulnerable in all distros as I explained earlier).
> 
>    https://security-tracker.debian.org/tracker/CVE-2016-1253
> 
> I'm attaching the debdiff with the patch. It simply replaces single
> quotes with double quotes in the command passed to popen(). Double
> quotes in the filename are escaped by most in order to prevent this
> kind of attacks, but this offers no protection if the file name is
> enclosed in single quotes.
> 
> Regards,
> 
> Berto
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages most depends on:
> ii  libc6      2.24-7
> ii  libslang2  2.3.1-5
> 
> most recommends no packages.
> 
> most suggests no packages.
> 
> -- no debconf information

> diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog
> --- most-5.0.0a/debian/changelog	2016-08-05 02:55:52.000000000 +0300
> +++ most-5.0.0a/debian/changelog	2016-12-14 14:31:29.000000000 +0200
> @@ -1,3 +1,12 @@
> +most (5.0.0a-2.6) unstable; urgency=high
> +
> +  * Non-maintainer upload.
> +  * lzma-support.patch:
> +    - Fix CVE-2016-1253 (shell injection attack when opening
> +      lzma-compressed files).
> +
> + -- Alberto Garcia <berto@igalia.com>  Wed, 14 Dec 2016 14:31:29 +0200
> +
>  most (5.0.0a-2.5) unstable; urgency=medium
>  
>    * Non-maintainer upload.
> diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch
> --- most-5.0.0a/debian/patches/lzma-support.patch	2016-07-22 01:50:23.000000000 +0300
> +++ most-5.0.0a/debian/patches/lzma-support.patch	2016-12-14 14:25:03.000000000 +0200
> @@ -1,3 +1,5 @@
> +Index: most-5.0.0a/src/file.c
> +===================================================================
>  --- most-5.0.0a.orig/src/file.c
>  +++ most-5.0.0a/src/file.c
>  @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd,
> @@ -32,13 +34,15 @@
>   	
>   	if (cmd != NULL)
>   	  {
> +Index: most-5.0.0a/src/file.h
> +===================================================================
>  --- most-5.0.0a.orig/src/file.h
>  +++ most-5.0.0a/src/file.h
>  @@ -22,6 +22,7 @@
>   #define MOST_MAX_FILES 4096
>   #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\""
>   #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\""
> -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'"
> ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\""
>   
>   extern void most_reread_file (void);
>   extern void most_read_to_line (int);


-- 
Benjamin Mako Hill
http://mako.cc/

Creativity can be a social contribution, but only in so far
as society is free to use the results. --GNU Manifesto

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 848132-close@bugs.debian.org (full text, mbox, reply):

From: Benjamin Mako Hill <mako@debian.org>

To: 848132-close@bugs.debian.org

Subject: Bug#848132: fixed in most 5.0.0a-3

Date: Thu, 15 Dec 2016 03:06:47 +0000

Source: most
Source-Version: 5.0.0a-3

We believe that the bug you reported is fixed in the latest version of
most, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Mako Hill <mako@debian.org> (supplier of updated most package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 Dec 2016 18:08:56 -0800
Source: most
Binary: most
Architecture: source amd64
Version: 5.0.0a-3
Distribution: unstable
Urgency: high
Maintainer: Benjamin Mako Hill <mako@debian.org>
Changed-By: Benjamin Mako Hill <mako@debian.org>
Description:
 most       - Pager program similar to more and less
Closes: 846465 848132
Changes:
 most (5.0.0a-3) unstable; urgency=high
 .
   * lzma-support.patch:
     - Fix CVE-2016-1253: shell injection attack when opening
       lzma-compressed files (Closes: #848132)
   * Added support for xv compressed file (Closes: #846465)
Checksums-Sha1:
 8dc27a12d186370ecfdcd7e5e68a3d41db2de05d 1701 most_5.0.0a-3.dsc
 60ab7dd1cc6242b917a1ae309c412cdd8329d4e8 9612 most_5.0.0a-3.debian.tar.xz
 a6a2f6ebcf03667361ad0d8022b21527011a3321 64402 most-dbgsym_5.0.0a-3_amd64.deb
 a2a6de3c3fb941b573968bbc3e36607c370b322e 4766 most_5.0.0a-3_amd64.buildinfo
 88a2ead40c044eab40555790cd731e6a8df6bd20 48038 most_5.0.0a-3_amd64.deb
Checksums-Sha256:
 24e79ffb7651af957df34b8c8137a0f76472946d8830d0e1f4e33b854546f40a 1701 most_5.0.0a-3.dsc
 3a8962851d2fcfe85f6bdf3655b8c43a6b3c9a2e6f2d7d60c7483317bdd6c2e6 9612 most_5.0.0a-3.debian.tar.xz
 739574ef594f9b2dd804e5f117f54d6acd530bc481196275c8cdd5259ac9aa3e 64402 most-dbgsym_5.0.0a-3_amd64.deb
 c11b3796c172563f13e3905565b06eb0a98ffccd0467c41d5c45494c07d02d9a 4766 most_5.0.0a-3_amd64.buildinfo
 fd3a1bc01f9fe9f93888574c8a07fdbd5827fdf43ed548894dd5488d09b6b6f0 48038 most_5.0.0a-3_amd64.deb
Files:
 45fee5eafb0413dd5590dec4d77a2da1 1701 text optional most_5.0.0a-3.dsc
 eb35d56c71accb0c8e951ce5fd41489f 9612 text optional most_5.0.0a-3.debian.tar.xz
 e04291a4e892de63ce6824ec1b2e59c2 64402 debug extra most-dbgsym_5.0.0a-3_amd64.deb
 a78832e4462243bdce429eafdbacfe5b 4766 text optional most_5.0.0a-3_amd64.buildinfo
 5f2117b62c92d4facda384a7edb675b6 48038 text optional most_5.0.0a-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE6aJxwHGWSJGqV2Y9nqM0FPWFL04FAlhSA10QHG1ha29AZGVi
aWFuLm9yZwAKCRCeozQU9YUvTjAND/920vMpAYr7ydGm3IgHLJSHQXllw7ttCcR2
4AH8Hh6sCY7hjk4BaW+te3M9UgG0xdAkQoL/tXqFLI5ENg37vWDLrD6aZmMaooJX
virwyxbYVcqCmaN3uo+TWuAgwml/Eg6nXVvaITXMDb6E8w+YXpO48K/m+xvSEkQL
0IhLazhNIfWcw27fN4VjfJ5CjDIX8Y7fGQ2Jp1AYAsSjsWimR6DpgPZP9l3MjZqN
mcERg4/ffb1Z59O3mMGPPSFL8CTcCSrp8TRajxN8lLkxXzi9Zm6Gx5zA2VHZPYfp
1KOfikjcrEqE8DxW8qFJbiyhZaO7ayJYXsw/6YTonVNQo7JlCA1hwf8+K1P1E7mX
E47UduPRGhbYrUB+bAJeZ9k0aYuorHbwtRj0tRpNK2fYotDQ+VPD5C5CqTcL9NSc
DjFSZhuTUb4iGpTDqrOxICVOsQhp+YS3i4jqJ078i+sWyC4qXKBeaQDLdEHpCHGY
vBZsmOAFueESVKkugl5rGo6zSPyfN9aQOJtRR/mhbDM8orUF76gLXQm64fJUOAf4
Hass/vWOcRZ2afiA0CbugC3UBkJoNqv0+GpKBVdOI4k2fp1832ReukmZYBmYTR9m
3yXNvpq7a+Z2FbvSIHBh4WcCwniL4gg3+7btk9QgG5Q6ycnLlIWQNCxuTdB9ystM
u27xJWwNlQ==
=r/jh
-----END PGP SIGNATURE-----

Message #22 received at 848132-close@bugs.debian.org (full text, mbox, reply):

From: Benjamin Mako Hill <mako@debian.org>

To: 848132-close@bugs.debian.org

Subject: Bug#848132: fixed in most 5.0.0a-2.3+deb8u1

Date: Sat, 31 Dec 2016 21:02:32 +0000

Source: most
Source-Version: 5.0.0a-2.3+deb8u1

We believe that the bug you reported is fixed in the latest version of
most, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 848132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Mako Hill <mako@debian.org> (supplier of updated most package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 20 Dec 2016 16:52:16 -0800
Source: most
Binary: most
Architecture: source amd64
Version: 5.0.0a-2.3+deb8u1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Benjamin Mako Hill <mako@debian.org>
Changed-By: Benjamin Mako Hill <mako@debian.org>
Description:
 most       - Pager program similar to more and less
Closes: 848132
Changes:
 most (5.0.0a-2.3+deb8u1) stable-proposed-updates; urgency=high
 .
   * lzma-support.patch:
     - Fix CVE-2016-1253: shell injection attack when opening
       lzma-compressed files (Closes: #848132)
Checksums-Sha1:
 1bbb68c2d040d7594a858840ad9b5a6dab8ffc33 1721 most_5.0.0a-2.3+deb8u1.dsc
 7ea9d78c0950c21e5b6f4bf4ffc277f453ab06c0 29882 most_5.0.0a-2.3+deb8u1.diff.gz
 4506ddfbf72cfdb1d06338aeaf5fee7005d54572 46456 most_5.0.0a-2.3+deb8u1_amd64.deb
Checksums-Sha256:
 f06480a3595090b78f4488feb14326997c4d446a40bcd9d42827da561c9bf57e 1721 most_5.0.0a-2.3+deb8u1.dsc
 5287b1e768b564a0e04bb6ace6b3eca7fac47980b923fdf4f3ff6fd0c20c66e6 29882 most_5.0.0a-2.3+deb8u1.diff.gz
 ae2fcef37bbcc10b3e27c40ffbb8f51d61d5da6ad6bd74675ef31bf7f4309c14 46456 most_5.0.0a-2.3+deb8u1_amd64.deb
Files:
 025a30289a109563c8ec225acb680f64 1721 text optional most_5.0.0a-2.3+deb8u1.dsc
 5cc6711c7c9a85aee40320703eaba449 29882 text optional most_5.0.0a-2.3+deb8u1.diff.gz
 4b6af1825588ee4a9834816160bcca8f 46456 text optional most_5.0.0a-2.3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE6aJxwHGWSJGqV2Y9nqM0FPWFL04FAlhgQ4wQHG1ha29AZGVi
aWFuLm9yZwAKCRCeozQU9YUvTlVsEACmr2xGrClKIWZkqmkEXMIsRYObLnlbTlE1
hLICalNiSAEcDDA7kSclq53ugI0lsTbsDfiOOvJlsqCH9GitWiEo7WCAZvlC5F6S
dU10fp0yX9uNpmCOh46tiyHcMZZ05EvB5DN2mnBHbglmsRHHs3gI5GcMRSnmCpL6
c4yNpHIq6e65WGqrXNXxwV6VUOGyYt/IMXM6cJgsO+btZrM0o+zY8B8CwCTqvy+k
bHYB7CxcIyY3GsvjWcL4n0e4bwIY04ciygEqIURjd0Uo6lU2RpuPM0aw1J3gSuSK
XiXPh61IgFI/98qOV1tNc0cRa7jq3YEuNI11HWlyAhtfXAKI/Bjj+N0J/ZL45bl3
axWLsQ+zdJzn0ulsDwEouXFo6CafH1Kh+KUmZAlSHGDaW29oWuq+0QWtk73yY7t8
HEpy1t+JJ0dqFGnEcMsHqmn0HNmOKZWdMeoTia5It8/3ewhEZge5iKbpfaNWB33F
0A/eaFHNZrP3Ny26rwHrn7qW9DT0SqnkkrB2Tai2icLtR/x9gZg9G3BxxoDVDpEr
kyqdrS4cnpBw5SfshPKwuaMIj4q5FiQxxBbHdSJ9D2VfSnMLFlHLahEoZitD6kU4
8XMZkSDwiFcbWp9/IwK66ed9y0abfi+opxdFuAv/gdhhEmSnHO81FszTSVuEimnK
s4+iMdDrhQ==
=/Vte
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.