Bug 152770

Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1
may allow remote attackers to perform certain unauthorized actions via a
gnome-vfs URI.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973



------- Additional Comments From michal 2004-08-26 07:47:58 ----

A description and a CAN number strongly suggest that this is the same
as bug #1944 which already has patches and references to rebuild rpms.
OTOH summary suggests that this may be something else.  Anybody can clarify?



------- Additional Comments From dwb7.edu 2004-08-30 10:23:46 ----

Well, in that bug, the solution was just to disable extfs support.

It would appear that both gnome-vfs and mc use broken backend scripts to talk to
extfs. So, same sort of vulnerability in two different packages.

Though, in this case looks like they are actually working on fixing it rather
than just throwing out extfs support as was done in gnome-vfs rpms

The details are in:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973

Latest comprehensive patch referenced is against mc-4.6 and is at:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=102961&action=view



------- Additional Comments From dwb7.edu 2004-09-02 04:46:28 ----

Created an attachment (id=829)
First attempt at backported patch

This patch is slightly modded from the FC1 mc 4.6.0 rpms. A couple hunks don't
yet apply.. have to look and see if they are at all relevant to the RH7.3
version of mc.



------- Additional Comments From dwb7.edu 2004-09-02 10:17:33 ----

Created an attachment (id=831)
Proposed backported patch for rh7.3

Spent a bit of time editing the patch to get it to apply. Lemme know what y'all
think.



------- Additional Comments From dom 2004-09-07 14:13:17 ----

See also bug 1548.



------- Additional Comments From marcdeslauriers 2004-09-15 15:34:25 ----

Red Hat released theirs:

https://rhn.redhat.com/errata/RHSA-2004-464.html




------- Additional Comments From marcdeslauriers 2004-09-20 13:54:59 ----

Dave's patch from comment #4 looks good at first glance.
Will upload rpms in a few minutes.



------- Additional Comments From marcdeslauriers 2004-09-20 14:08:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA fo 7.3 and 9:

7.3 patch is the one from Dave
9 patch if the one from fc1

Changelog:
* Mon Sep 20 2004 Marc Deslauriers <marcdeslauriers>
4.6.0-14.9.1.legacy
- - Added security patch for CAN-2004-0494

7.3:
e45de9f38948bc78fc4bb3160731df2470bcad8b  mc-4.5.55-9.legacy.i386.rpm
3b7f464f40c0869b8796a9326298a0d55a2e629c  mc-4.5.55-9.legacy.src.rpm

9:
ceb82717b3341c5eab936e6abaa9395ccf5e404a  mc-4.6.0-14.9.1.legacy.i386.rpm
ded6f1713b752d36f2b5f628a144376fb775a295  mc-4.6.0-14.9.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mc-4.6.0-14.9.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mc-4.6.0-14.9.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBT3EaLMAs/0C4zNoRAnKvAJkBSncdq2lFD1s8uDgpuy4RcJLoNwCgty9d
sjnZ5Rdskx2XsJ1HZDKFx+E=
=9q78
-----END PGP SIGNATURE-----




------- Additional Comments From mgerber 2004-10-11 19:41:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I checked RH73 only.

- - sha1sum is ok.

  3b7f464f40c0869b8796a9326298a0d55a2e629c  mc-4.5.55-9.legacy.src.rpm

- - No changes in source tarball and patches. Only the two 
  added patches are, well, added.

- - Patches (added in between 6.legacy and 9.legacy) are ok and reviewed:

  +Patch50:   mc-security_CAN-2004-0226.patch
  +Patch51:   mc-4.5.55-extfs-quoted.patch

- - Builds and runs fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBa23Yvsz686DVvkARAgEoAJ9VHVNWlh76FadByheX1srb5u+L1wCcC1Id
GhzmWi/BZ91RwqtX6CvC7k8=
=Qyju
-----END PGP SIGNATURE-----




------- Additional Comments From mgerber 2004-10-11 19:44:05 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I checked RH73 only. Repost, forgot the PUBLISH, sorry.

- - - sha1sum is ok.

  3b7f464f40c0869b8796a9326298a0d55a2e629c  mc-4.5.55-9.legacy.src.rpm

- - - No changes in source tarball and patches. Only the two 
  added patches are, well, added.

- - - Patches (added in between 6.legacy and 9.legacy) are ok and reviewed:

  +Patch50:   mc-security_CAN-2004-0226.patch
  +Patch51:   mc-4.5.55-extfs-quoted.patch

- - - Builds and runs fine.

PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBa26Hvsz686DVvkARAl0tAKDICiQH2mIdO/G0ztAx8cmqyEguywCeL8ku
sTbod6FUBj9qKHrCvVAO/lM=
=afXI
-----END PGP SIGNATURE-----




------- Additional Comments From leonard.nl 2004-11-30 07:02:40 ----

The original fix for CAN-2004-0494 is incomplete. Apart from the original perl
script quoting vulnerabilities in vfs upstream (mostly myself) has also fixed
the vfs shell scripts wrt quoting issues.

I believe Jindrich Novy is currently working on backporting these complete fixes
to RHEL 2.1 and FC 2. Please wait until he finishes this job, so the complete
patches can be included for RHL 7.3 and RHL 9.



------- Additional Comments From deisenst 2004-11-30 18:57:15 ----

Since the original patch that Red Hat put out for Fedora Core 1 for CAN-2004-0494
was not complete, then the updated patches here should also be needed for FC1.
Added "1" to keywords.  Also moving it back into the "NEEDSWORK" category.

More info on Jindrich Novy's work (at least for FC2 patches) are in RedHat's
bugzilla #127973,
       <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973>.
Tracking it now.



------- Additional Comments From deisenst 2005-01-01 21:13:52 ----

RedHat came out with a completed fix on December 7, 2004, for Fedora Core 3,
announced here:

http://www.redhat.com/archives/fedora-announce-list/2004-December/msg00041.html

The fix was basically to update the packages with an upstream release.
From Jindrich's Fedora Update Notification message #FEDORA-2004-514 from the
above URL:

---------------------------------------------------------------------
Update Information:

The updated version of Midnight Commander contains finished
CAN-2004-0494 security fixes in extfs scripts and has better support for
UTF-8, contains subshell prompt fixes and enhanced large file support.

The version is also one of the release candidates: mc-4.6.1-pre1a.
---------------------------------------------------------------------
* Wed Dec 01 2004 Jindrich Novy <jnovy redhat com> 4.6.1-0.11FC3

- update from CVS
  - fix #141095 - extraction of symlinks from tarfs is now fine
- add growbuf patch from Roland Illig #141422 to view files
  in /proc and /sys properly

* Wed Nov 24 2004 Jindrich Novy <jnovy redhat com> 4.6.1-0.10

- update from CVS
- update promptfix patch, drop upstreamed strippwd patch
- add badsize patch to fix displaying of filesizes >2GB
- sync UTF-8 patches with upstream
- replace autogen.sh style with configure

* Fri Nov 12 2004 Jindrich Novy <jnovy redhat com>

- convert man pages to UTF-8 (#138871)
---------------------------------------------------------------------
(end of excerpt)

It is tempting to just create new srpms for RH7.3, RH9, and FC1 from Jindrich Novy's
  
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/mc-4.6.1-0.11FC3.src.rpm

to solve the CAN-2004-0494 issue we are trying to solve here, since the this
srpm is based upon Midnight Commander's maintainers' upstream work (especially
the hard work of Leonard den Ottolander in fixing the extfs vulnerabilities).
But is mc-4.6.1-pre1a using operating system features not present in any of
these operating systems, such as UTF-8 compatibility?  Would going with a new
upstream update cause any other problems we could not or would not want to
handle here in the FL project?

I'm about to try building and installing the above .src.rpm on my FC1 system to
see how it will run or if it breaks.

Leonard or Jindrich - do you have any thoughts or suggestions about this? 
Anyone else who has knowledge of RH7.3 or RH9?  Dominic?  Marc?  I'd be happy to
try & create .src.rpms for 7.3 and 9 but I cannot test them myself.

Thanks in advance for your thoughts.    -David



------- Additional Comments From leonard.nl 2005-01-02 02:09:28 ----

For RHL 9 & FC 1 the whole of the extfs directory can essentially be updated to
CVS (minus a few recent (= couple of weeks ago)) fixes. I don't think a full
update to 4.6.1 once it's released will cause any major problems, as there is
not much that depends on mc. This would also have the added advantage of
improved UTF-8ization. However this is in contrast with the chosen conservative
upgrade policy. But I'll be glad to make rpms for the contrib section (do we
have one?).

RHL 7.3 is a different matter. I worked with Jindrich on a fix for RHEL 2.1
which he should finish soon. However, RHEL 2.1 comes with 4.51.1, but RHL 7.3
with 4.5.55.

Problem with making patches for these versions is that is not always possible to
completely remove all functional changes from the quote fixes. I'll try to come
up with a patch for 7.3 with as little functional changes as possible in a week
or two. Please ping me if you haven't seen any result by then.




------- Additional Comments From deisenst 2005-01-11 13:07:30 ----

I have been in touch with Leonard through IRC in the past few days.  He
appears to still be working on the RH7.3 fix for this vulnerability, as he
was conferring with Jindrich Novy of Red Hat about this as well as the 
RHEL 2.1 version of MC.  

I hope to do work on the RH9 and FC1 fixes for MC for this vuln.; fixing
this from CVS or its equivalent doesn't look too hard for RH9 and FC1.
   -David



------- Additional Comments From bugzilla.fedora.us 2005-01-29 15:01:21 ----

http://www.debian.org/security/2005/dsa-639 lists a ton more CVE's that we'll
need to fix:
CAN-2004-1004 CAN-2004-1005 CAN-2004-1009 CAN-2004-1090 CAN-2004-1091          
       CAN-2004-1092 CAN-2004-1093 CAN-2004-1174 CAN-2004-1175 CAN-2004-1176



------- Additional Comments From leonard.nl 2005-01-30 02:59:25 ----

I'll look into the Debian diff to see if any of these issues are not fixed for
RHL 7.3. As the vulnerabilities are reported for mc-4.5.55 I don't except them
to be an issue for mc-4.6.0 and beyond.




------- Additional Comments From leonard.nl 2005-01-30 03:30:32 ----

Created an attachment (id=974)
Update of extfs to CVS-2004-11-21 for RHL 7.3

This is a full update to CVS-2004-11-21 (no new (relevant) changes since then)
for the extfs directory. Makefile is only touched for patchfs as it radically
changed since then.

This patch also contains some temp file fixes, and possibly some of the fixes
in the Debian advisory (at least as far as they affect vfs/extfs).




------- Additional Comments From leonard.nl 2005-01-30 03:32:55 ----

Created an attachment (id=975)
SPEC file for RHL 7.3 including extfs fix

Versioning might be incorrect (I did start from RHL 7.3's mc-4.5.55-5, not
Legacy's mc-4.5.55-6, we might still need the fix in there), but we should add
the other fixes from the Debian advisory first anyway.




------- Additional Comments From leonard.nl 2005-01-30 04:51:18 ----

Opened bug 2405 for CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090,
CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 and
CAN-2004-1176 (http://www.debian.org/security/2005/dsa-639).




------- Additional Comments From deisenst 2005-01-30 07:55:35 ----

Created an attachment (id=977)
Patches for mc-4.6.0-17.fc1.src.rpm (for FC1 & RH9)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This attachment has proposed patches for CAN-2004-0494 to the partially-
patched mc-4.6.0-17.fc1.src.rpm, for creating new .src.rpm's for FC1 and 
RHL 9.

Note that these patches deal with a subset of all the files in the
vfs/extfs directory, because some of the files in mc-4.6.0-17.fc1
were already patched up to what's in the MC CVS by Jakub Jelinek of
Red Hat on August 21st.

These patches were created by downloading all the extfs files (except
iso9660.in and extfs.ini and the Makefiles) from the Midnight Commander
CVS at <http://savannah.gnu.org/cgi-bin/viewcvs/mc/mc/vfs/extfs/>, and 
doing a diff -up on the two directories.  I elected not to muck with the
makefiles, because they seemed just fine as is.

SHA1 sum of the patch file enclosed:
bb596be5bc2137c365c3aa76caaa4973775e54ae mc-4.6.0-extfs-quoted-security2.patch

.src.rpm's for FC1 and RHL 9 forthcoming.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD4DBQFB/R7Oxou1V/j9XZwRAmYoAJj2t9/VN9HNPbo3VMTXWlM/HjtFAJ9rAA4p
QofPhI9Bczx+km/q/KpaXg==
=Ad5X
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-02-05 17:12:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are FC1 and RH9 srpms that address CAN-2004-0494.  See notes and
caveats below.

RH9 and FC1 are both patched with new patch from attachment 977.


Downloadable from http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/

  SHA1SUM                                 Package Name
========================================  ================================
RH9:
c0a21ded445b9007cda814105a3ae1f869b97a33  mc-4.6.0-18.fc0.9.legacy.src.rpm

FC1:
c87584877bff86d7e8084c37b1c72be35458041c  mc-4.6.0-18.fc1.0.legacy.src.rpm


http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.fc0.9.legacy.src.rpm
http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.fc1.0.legacy.src.rpm


RH9 Changelog:
* Sun Jan 30 2005 David Eisenstein <deisenst> 1:4.6.0-18.fc0.9.legacy
- - rebuild SRPM for RH9. (FL bugzilla #2009).

* Fri Jan 28 2005 David Eisenstein <deisenst> 1:4.6.0-18.fc1.0.legacy
- - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match
  scripts in upstream's cvs.  This takes care of fixes missed in Fedora
  update FEDORA-2004-272.
- - Fedora Legacy bugzilla # 2009.

* Sat Aug 21 2004 Jakub Jelinek <jakub> 4.6.0-17.fc1
- - 3 more quoting omissions in a.in

* Sat Aug 21 2004 Jakub Jelinek <jakub> 4.6.0-17
- - fix shell quoting in extfs perl scripts
  (Leonard den Ottolander, #127973, CAN-2004-0494)


FC1 Changelog:
* Fri Jan 28 2005 David Eisenstein <deisenst> 1:4.6.0-18.fc1.0.legacy
- - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match
  scripts in upstream's cvs.  This takes care of fixes missed in Fedora
  update FEDORA-2004-272.
- - Fedora Legacy bugzilla # 2009.

* Sat Aug 21 2004 Jakub Jelinek <jakub> 4.6.0-17.fc1
- - 3 more quoting omissions in a.in

* Sat Aug 21 2004 Jakub Jelinek <jakub> 4.6.0-17
- - fix shell quoting in extfs perl scripts
  (Leonard den Ottolander, #127973, CAN-2004-0494)



==================================  NOTES  ==============================

I have been running mc binaries on FC1 created from the srpm since Friday,
Jan 28th, and they have been working fine in my environment.

QA if you wish; however, new RH9/FC1 packages that address the new issues 
mentioned in comment 20 are being prepared and will be placed in Bug 2405.
I am amid working on those issues.  This is a work-in-progress.  See caveat
below.


Justification for creating RH9 updates from the FC1 ones done by Jakub
(4.6.0-17.fc1):
- ------------------------------------------------------------------------
At the time Red Hat retired RHL 9, both FC1 and RHL 9 were using exactly
the same sources for Midnight Commander, AFAICS.  Since they were the same
source at that time, and the extfs patches neither introduce nor use any
FC1-specific functionality, I just took the fc1 .src.rpm and changed its
name and specfile tags to create the RH9 update srpm.


CAVEAT
- ------------------------------------------------------------------------
NOTE!!:  These packages do NOT address the newly announced security issues
that Leonard mentioned in comment 20 (CAN-2004-1004, CAN-2004-1005, &c)
that are being worked on in bug 2405.  These packages should NOT be consi-
dered candidates for publishing to updates-testing.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCBYowxou1V/j9XZwRApUvAKCigJbev2BFtdQ/VXS3nMU/S3XFSwCfbOne
923gOl79q8gB9xTfjPilPO4=
=g/zm
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-02-05 17:17:39 ----

This bug has been replaced by bug 2405.



------- Additional Comments From leonard.nl 2005-02-06 02:32:00 ----

David, I see you've been using the 4.6.1a branch for your patch instead of the
latest 4.6.1-pre (pre3) branch.

This means there are some differences between RHL7.3 and RHL9/FC1. Some fixes to
urar that should have been committed to pre are missing from my patch, but you
feature some functional changes to uzip of which I'm not sure we should
introduce them.

Apart from a possible change to uzip.in (deletion of newly introduced code in
4.6.1a) your patch (only tested for FC1) is fine. However, you should get rid of
mc-cvs-uzip from the SPEC file. It is obsolete and was supposed to replace
uzip.in which is no longer needed since the first extfs-quoted patch.

One more thing, just call the second quote patch #14 instead of #100.




------- Additional Comments From deisenst 2005-02-06 07:37:22 ----

Good points all, Leonard.  The issue about patch numbering seems minor,
though.  Many Fedora Legacy packagers have been jumping patch numbers,
presumably to make it clear the packages are being maintained by new
people.

I will create a new patch and and post it here for just the CAN-2004-0494
issue, then use them to build a final version for bug 2405, addressing all 
the other CANs mentioned in comment 16 and comment 20.

Thanks for the QA.



------- Additional Comments From deisenst 2005-02-06 08:00:30 ----

Just to make sure I'm using the right one, is this the version of
uzip.in you recommend we use?

http://tinyurl.com/4w5xc



------- Additional Comments From leonard.nl 2005-02-07 11:00:30 ----

David: Yes.

However, the three additional hunks to urar.in that have not yet been committed
to the 4.6.1-pre branches should be used. So indeed all you need to do is fix
uzip.in. For RHL 7.3 I need to add these urar hunks. Will get to that in a
couple of days.




------- Additional Comments From deisenst 2005-02-08 03:55:37 ----

Created an attachment (id=989)
New patches for mc-4.6.0-17.fc1 (FC1 & RH9)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This .tar.bz2 attachment includes:
  * updated proposed patches for CAN-2004-0494 to the partially-patched
    mc-4.6.0-17.fc1.src.rpm, for creating new .src.rpm's for FC1 and 
    RHL 9.  (mc-4.6.0-extfs-quoted-security2b.patch)
  * Jakub Jelinek's jumbo patch, revised to remove a hunk that patched
    mc-cvs-uzip.  mc-cvs-uzip was removed, per request by Leonard den
    Ottolander (see comment 24).  (mc-4.6.0-jumbo-b.patch)
  * Revised spec files for RH9 & FC1 (mc-4.6.0-18.1.fc0.9.legacy.spec &
    mc-4.6.0-18.1.fc1.0.legacy.spec).

sha1sum of attachment:

02a5097862bed421be5ca9bc38eb9fb94279cc8c  mc-4.6.0-18.1-files.tar.bz2

Note that the mc-4.6.0-extfs-quoted-security2b.patch file patches a
subset of all the files in the vfs/extfs directory, because some of them
were already patched in mc-4.6.0-17.fc1.src.rpm.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCCMO9xou1V/j9XZwRAvobAJ9oCMgIahzPLXVsTYsNML5MxOUy7gCgtJbn
ttmTXl/DjTaLXm/D4LpMTxM=
=5DYX
-----END PGP SIGNATURE-----




------- Additional Comments From leonard.nl 2005-02-09 08:21:19 ----

Created an attachment (id=991)
Update of extfs to CVS-2004-11-21 + urar fix for RHL 7.3




------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2009 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2009
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2405.

Attachments:
First attempt at backported patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=829
Proposed backported patch for rh7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=831
Update of extfs to CVS-2004-11-21 for RHL 7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=974
SPEC file for RHL 7.3 including extfs fix
https://bugzilla.fedora.us/attachment.cgi?action=view&id=975
Patches for mc-4.6.0-17.fc1.src.rpm (for FC1 & RH9)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=977
New patches for mc-4.6.0-17.fc1 (FC1 & RH9)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=989
Update of extfs to CVS-2004-11-21 + urar fix for RHL 7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=991

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.