Bug 950777 (CVE-2013-2012)

Summary: CVE-2013-2012 autojump: autojump profile will load random stuff from a directory called custom_install
Product: [Other] Security Response Reporter: Zbigniew Jędrzejewski-Szmek <zbyszek>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jpokorny, jrusnack, thibault.north, william.h.ting
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 956792    
Bug Blocks:    
Attachments:
Description Flags
patch to remove the offending part
none
Check "/destdir_${RANDOM}_install" location instead.
none
Uncomment else-if block only when --destdir is used during installation. none

Description Zbigniew Jędrzejewski-Szmek 2013-04-10 20:55:56 UTC
Created attachment 733886 [details]
patch to remove the offending part

Description of problem:
/etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL
or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp or another publicly writable directory, and has $SHELL unset or set to something different than zsh or bash, e.g. dash, an attacker might create this file there.

Version-Release number of selected component (if applicable):
I think that the script hasn't changed recently, so Fedora 17 to rawhide is probably affected.

Comment 1 Jan Pokorný [poki] 2013-04-23 20:53:10 UTC
Adding Security keyword, please drop if not suitable here.

Comment 2 Jan Lieskovsky 2013-04-24 13:41:03 UTC
(In reply to comment #0)

Hello Zbigniew,

  thank you for your report && patch proposal.

> Created attachment 733886 [details]
> patch to remove the offending part
> 
> Description of problem:
> /etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL
> or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp
> or another publicly writable directory, and has $SHELL unset or set to
> something different than zsh or bash, e.g. dash, an attacker might create
> this file there.

Just out of curiosity, have you tried to reach autojump upstream with the report above? If so, what was the reply from them? 

If not, can we (in your name) contact them?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Version-Release number of selected component (if applicable):
> I think that the script hasn't changed recently, so Fedora 17 to rawhide is
> probably affected.

Comment 3 Zbigniew Jędrzejewski-Szmek 2013-04-24 14:17:59 UTC
I haven't tried to contact upstream, I took the lazy way of just filing in bugzilla. I you can forward the bug and patch upstream, by all means please do. Thank you.

Comment 4 William Ting 2013-04-24 20:45:01 UTC
Zbigniew,

Thanks for the report. I've fixed the bug upstream in this commit:

https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec

The line shouldn't be removed due to other package managers depending on it for installation. If the global and local installations of autojump are not found, it now checks a random root directory.

If a user has write privileges to /, then all bets are off but hopefully this change is sufficient.

Comment 5 William Ting 2013-04-24 20:46:16 UTC
Created attachment 739596 [details]
Check "/destdir_${RANDOM}_install" location instead.

Comment 6 Jan Pokorný [poki] 2013-04-24 20:55:45 UTC
William, are you aware of $RANDOM special variable being changed
upon each access (that's what makes it special, at least in bash and zsh)?

If yes, then I am just not getting your patch, but that's ok :-)

Comment 7 Jan Pokorný [poki] 2013-04-24 21:10:47 UTC
Ok, point of the code taken but it seems to be adding obscurity.

Wouldn't it be more decent to leave a special mark in form of a comment
(like "### CUSTOMIZATION HERE ###" in the place to be conditionally
modified in autojump.sh and then to substitute it with precooked "elif"
block if customization required?

You can certainly do single line -> multiple lines mapping using sed:

$ echo "a" | sed 's|a|a\nb|' 
a
b

Comment 8 William Ting 2013-04-25 00:07:35 UTC
Created attachment 739627 [details]
Uncomment else-if block only when --destdir is used during installation.

Jan,

Stop being so sensible. :)

- William

Comment 9 Jan Lieskovsky 2013-04-25 15:52:59 UTC
A security flaw was found in the way autojump, a tool for faster filesystem navigation from the command line, used to honour content of custom_install directory when global and local autojump installations were not found and $SHELL variable was unset or set to different value than bash or zsh. If an unsuspecting autojump user was tricked into running autojump script from the directory a local attacker has write access to, this flaw could be used for arbitrary (Python) code execution with the privileges of the user running the autojump binary / script.

Relevant (final) upstream patches are as follows:
[1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
[2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a

Comment 10 Jan Lieskovsky 2013-04-25 16:06:01 UTC
This issue affects the versions of the autojump package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue did NOT affect the versions of the autojump package, as shipped with Fedora EPEL 5 and 6 (vulnerable code part is not present in those versions yet).

Comment 11 Jan Lieskovsky 2013-04-25 16:10:33 UTC
Created autojump tracking bugs for this issue

Affects: fedora-all [bug 956792]

Comment 12 Jan Lieskovsky 2013-04-25 16:25:16 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/04/25/13

Comment 13 Jan Lieskovsky 2013-04-26 07:49:07 UTC
The CVE identifier of CVE-2013-2012 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/25/14

Comment 14 William Ting 2014-02-05 22:49:47 UTC
FYI this was fixed upstream:
https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a