Bug 131829

Summary: a2ps executes shell commands from filenames
Product: [Fedora] Fedora Reporter: Steve Grubb <linux_4ever>
Component: a2psAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-07 13:01:07 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 130887    
Attachments:
Description Flags
Patch that fixes this problem none

Description Steve Grubb 2004-09-05 09:13:11 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
There was a vulnerability announced on full disclosure:

http://marc.theaimsgroup.com/?l=full-disclosure&m=109334851517137&w=2

I've tested this at length and the patch is good. The risk is that
when a user downloads a "trusted" tarball and then does a wildcard
print of all files in a directory, the shell can execute some of the
filenames.

The root cause of this hole is that popen() is used without escaping
the characters in the filename.

Version-Release number of selected component (if applicable):
a2ps-4.13b-40

How reproducible:
Always

Steps to Reproduce:
1. touch 'x`echo >&2 42`.c'
2. a2ps -o /dev/null *.c

Actual Results:  42

Expected Results:  The contents of x`echo >&2 42` printed instead of
executed.

Additional info:

I will attach a patch for this. As far as security severity, I would
classify this as low to medium risk. It is very unexpected for
filenames to be executed instead of printed.
Comment 1 Steve Grubb 2004-09-05 09:15:19 EDT
Created attachment 103479 [details]
Patch that fixes this problem

Please apply before fc3test2 is finalized.
Comment 2 Tim Waugh 2004-09-07 10:45:14 EDT
Unable to verify.  Did you actually try this with 4.13b-40?
Comment 3 Steve Grubb 2004-09-07 13:01:07 EDT
I just re-tested the whole thing and it looks fine, too.

/usr/bin/file -L "${filename}"

This should be safe. Somewhere along the way I must have used an older
copy by accident. Sorry.