Bug 1077059 (CVE-2014-2527, CVE-2014-2528)

Summary: CVE-2014-2527 CVE-2014-2528 kdirstat: insufficient quote escaping leading to arbitrary command execution
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chitlesh, kryzhev, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-02 02:59:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1077060, 1077061    
Bug Blocks:    

Description Murray McAllister 2014-03-17 06:17:37 UTC
Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution.

The original report is regarding single quotes. Testing with the Fedora revealed the issue there was with double quotes.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659

Comment 1 Murray McAllister 2014-03-17 06:18:33 UTC
Created k4dirstat tracking bugs for this issue:

Affects: fedora-all [bug 1077061]

Comment 2 Murray McAllister 2014-03-17 06:18:37 UTC
Created kdirstat tracking bugs for this issue:

Affects: fedora-19 [bug 1077060]

Comment 3 Murray McAllister 2014-03-17 06:22:42 UTC
CVE request: http://www.openwall.com/lists/oss-security/2014/03/17/2

Comment 4 Murray McAllister 2014-03-19 02:06:21 UTC
MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects Fedora)

MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the Debian report, and fixed via https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

Comment 5 Murray McAllister 2014-03-19 02:07:39 UTC
(In reply to Murray McAllister from comment #4)
> MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects
> Fedora)
> 
> MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the
> Debian report, and fixed via
> https://bitbucket.org/jeromerobert/k4dirstat/commits/
> 1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

Reference: http://seclists.org/oss-sec/2014/q1/590

Comment 6 Dmitrij S. Kryzhevich 2014-03-19 08:57:39 UTC
Working.

Comment 7 Dmitrij S. Kryzhevich 2014-03-19 09:01:01 UTC
I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how to resturn this change.

Comment 8 Murray McAllister 2014-03-19 09:28:39 UTC
(In reply to Dmitrij S. Kryzhevich from comment #7)
> I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how
> to resturn this change.

Hello,

Thanks for looking at this. I have put it back in the summary (there is an "edit" button near the title of the page).

For bugs like this one (filed against the Security Response Product), we leave them in the "NEW" state until everywhere is fixed, and don't assign them to people. For the trackers/product specific bugs, such as bug 1077061 and bug 1077060, you can change their state and assign those to yourself.

http://seclists.org/oss-sec/2014/q1/590 has some discussion about the issue. I am unsure if there is a patch yet for the use of " characters :(

Comment 9 Dmitrij S. Kryzhevich 2014-03-19 09:55:14 UTC
Thanks.

I think we could use upstream patch as is ( http://paste.fedoraproject.org/86626/52224521/ )
Gained var "QString expanded" just go to shell in the way it is formatted so there no need to make difference between ' and " in this part of code. Substitution for file/directory name go to the following sting:
rm -rf %p
There are no any spectial signs here.

But still I will run few tests.


And one more. It was a suprise for me that there is a new upstream here (  bitbucket.org/jeromerobert/k4dirstat ).

Comment 10 Dmitrij S. Kryzhevich 2014-03-19 10:00:12 UTC
Too many mistypes. My bad.

Comment 11 Dmitrij S. Kryzhevich 2014-03-20 03:20:08 UTC
Looks like this patch fix all ' and " issues. Will submit as update.

Comment 12 Fedora Update System 2014-03-30 06:05:24 UTC
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-03-30 06:11:32 UTC
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.