Bug 1282016

Summary: inotifywait does not accept NULL as field separator when using the --format option
Product: [Fedora] Fedora EPEL Reporter: g.danti
Component: inotify-toolsAssignee: Mark McKinstry <mmckinst>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: adel.gadllah, g.danti, mmckinst, zerks0
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 15:04:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description g.danti 2015-11-14 11:40:33 UTC 
Description of problem:
inotifywait does not accept NULL as field separator when using the --format option. This means that specially crafted, malicious filenames (for example, filename with newline char) can be used to hijack 3d party code relying on inotifywait.

For example, think about a replication services that use inotifywait to know what events/files to replicate on a remote server. Using a malicious filename with an embedded newline and deleting it, the remote server will replicate a wrong (and potentially very dangerous) delete event.

See here for more details: https://github.com/rvoicilas/inotify-tools/issues/20

Version-Release number of selected component (if applicable):
all

How reproducible:
embed a newline in a monitored filename

Steps to Reproduce:
1. create a file with a newline embedded in its name (eg: touch '/tmp/test
this'
2. use inotifywait to monitor a directory (eg: inotifywait -m -r /tmp)
3. delete the file
4. the resulting inotify event will be split in two different row

Actual results:
the resulting inotify event will be split in two different row, exposing wrong events/filename to application reading from inotifywait (eg: using a pipe)

Expected results:
using a NULL char as field separator, inotifywait will be invulnerable to malicious filename (as NULL is an invalid char for filenames in about all filesystems)

Additional info:
https://github.com/rvoicilas/inotify-tools/issues/20
Comment 1 Ben Cotton 2020-11-05 16:51:32 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged  change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Comment 2 Ben Cotton 2020-11-05 16:54:14 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version, you are encouraged to change the 'version' to a later version prior this bug is closed as described in the policy above.
Comment 3 Ben Cotton 2020-11-30 15:04:33 UTC 
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
EPEL please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.