|Summary:||plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli|
|Product:||[Fedora] Fedora||Reporter:||Florian Weimer <fweimer>|
|Component:||plexus-utils||Assignee:||Mikolaj Izdebski <mizdebsk>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||18||CC:||charles, fnasser, java-sig-commits, krosenvold, mizdebsk|
|Fixed In Version:||3.0.16-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||1009412 (view as bug list)||Environment:|
|Last Closed:||2014-01-27 14:04:45 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||958220, 1009412, 1532497|
Description Florian Weimer 2013-05-02 10:13:30 UTC
The shell quoting logic in this package (and the org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears to be mostly dead code. Client code should be migrated to java.lang.ProcessBuilder. The different quoting options (single quotes, double quotes) are difficult to get right, and the reference to StringUtils is not particularly helpful because the caller has to provide the correct set of characters to be escaped, which is platform-dependent.
Comment 1 Mikolaj Izdebski 2013-05-06 07:30:59 UTC
plexus-utils package is widely used (required by 96 packages in Fedora and it is the most often downloaded artifact on Maven Central ), so changing the API or migrating dependant packages to use standard JDK API would be difficult or impossible. If I remember correctly the shell quoting code is indirectly used by maven-scm and maven-wagon. Migration to ProcessBuilder is impossible (or at least not always possible) because the shell code needs to be executed on remote hosts (eg. over SSH) which is beyond capabilities of ProcessBuilder. In my opinion the shell quoting and escaping code should be fixed to conform to appropriate standards, like .  http://search.maven.org/#stats  http://pubs.opengroup.org/onlinepubs/7908799/xcu/chap2.html
Comment 2 Mikolaj Izdebski 2013-09-27 17:52:43 UTC
Related to upstream bug PLXUTILS-161
Comment 3 Kristian Rosenvold 2013-09-27 20:11:36 UTC
I am one of the current maintainers of the plexus code in question. Plexus-utils is mostly used within maven, which (like all the build systems for java) is not a "safe" execution environment; if someone wants to inject an "rm -rf /*" into your build system there's probably thousands of different attack vectors to achieve this. This applies to all modern java build systems and is not a particular maven problem. I am mostly trying to establish the actual severity of this issue; we will gladly accept patches that update the correctness of the quoting algorithms (or if you can explain it to thickheads like me, I'll even fix it myself!). The code we're talking about here is ancient (and none of my doing) and just understanding the problem/consequences is hard enough.
Comment 4 Charles Duffy 2013-09-28 19:20:19 UTC
A patch correcting the quoting algorithm (and avoiding its use where possible) has been attached to PLXUTILS-161.
Comment 5 Fedora End Of Life 2013-12-21 15:30:26 UTC
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Comment 6 Mikolaj Izdebski 2014-01-27 13:53:14 UTC
Fixed in plexus-utils-3.0.16-1
Comment 7 Mikolaj Izdebski 2014-01-27 14:04:45 UTC
I believe that this bug is fixed in plexus-utils-3.0.16-1, which is available in Fedora Rawhide, so I am closing this bug now. The build containing the fix can be found at Koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=494089 This bug was fixed in the next release of Fedora, and is not planned to be fixed in the release it was filed against. If you want this bug to be fixed in updates for Fedora 18, please say so in a comment. Otherwise you can update to the newer release of Fedora to get the fix.