Bug 1028037 - rubygems-abrt: character injection issues
Summary: rubygems-abrt: character injection issues
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rubygem-abrt
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Vít Ondruch
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1028034
TreeView+ depends on / blocked
 
Reported: 2013-11-07 14:13 UTC by Florian Weimer
Modified: 2015-09-18 18:59 UTC (History)
2 users (show)

Fixed In Version: 0.1.1-1.fc23
Clone Of:
Environment:
Last Closed: 2015-09-18 18:59:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2013-11-07 14:13:32 UTC 
In handler.rb, the first argument to the syslog.err calls needs to contain a "%s" argument, otherwise another exception will result.

This construct in the "report" method

    io.write "REASON=#{exception.format.first}\0"

should guard against embedded NUL characters, to prevent injection of other keywords in the submitted message.
Comment 2 Vít Ondruch 2013-11-07 15:12:55 UTC 
Thank you for reporting. Would you mind to share reproducers and what is the impact?
Comment 3 Florian Weimer 2013-11-07 18:00:21 UTC 
This is based on source code review only.  Impact is misleading or missing crash data.
Comment 4 Vít Ondruch 2013-11-08 09:46:52 UTC 
1) I tried to log string with NULL character and yes, the part of the string behind NULL is missing, but what would be the expected output? You suggest to use "%s" but using 

syslog.err "%s" % s

nor

syslog.err "%s", s

has no effect. The part behind NULL is lost.

Also note that since the error handler is expected to handle errors, which are caused by problems writing into the socket, I can hardly imagine how this could cause any issues.

2) As for the "io.write" case, the only possible abuse, I can think of might come from Exception#message. That means it should be probably handled earlier at lib/abrt/exception.rb#L9, but what would you suggest?  I can imagine that self.message.gsub(/\0/, "\n") could help there, or I can cut off everything behind NULL (or raise exception ;)).

But on the other side, I hope that ABRT is robust enough to handle such malformed reports. 


But anyway, unless there is clear what we actually want to prevent/achieve, I hesitate to change anything.
Comment 5 Florian Weimer 2013-11-08 09:53:56 UTC 
(In reply to Vít Ondruch from comment #4)
> 1) I tried to log string with NULL character and yes, the part of the string
> behind NULL is missing, but what would be the expected output? You suggest
> to use "%s" but using 
> 
> syslog.err "%s" % s
> 
> nor
> 
> syslog.err "%s", s
> 
> has no effect. The part behind NULL is lost.

Sorry, what i meant is that this is needed in case the message contains a "%".

> 2) As for the "io.write" case, the only possible abuse, I can think of might
> come from Exception#message. That means it should be probably handled
> earlier at lib/abrt/exception.rb#L9, but what would you suggest?  I can
> imagine that self.message.gsub(/\0/, "\n") could help there, or I can cut
> off everything behind NULL (or raise exception ;)).

You could strip all NUL characters, replacing them with nothing at all.
Comment 6 Vít Ondruch 2013-11-08 11:03:28 UTC 
(In reply to Florian Weimer from comment #5)
> Sorry, what i meant is that this is needed in case the message contains a
> "%".

Ah, now I see:

> syslog.err "% "
ArgumentError: invalid format character - %
from (pry):48:in `err'

Ok, so I can go with:

> syslog.err "%s", "% "
=> <#Syslog: opened=true, ident="abrt", options=3, facility=8, mask=255>

Still the question remains, is this real world problem?
Comment 7 RHEL Program Management 2014-03-22 06:33:21 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 8 Florian Weimer 2014-12-02 16:42:43 UTC 
(In reply to Vít Ondruch from comment #6)
> Still the question remains, is this real world problem?

I do think this is worth fixing, but doing so in Fedora is good enough.
Comment 9 Vít Ondruch 2014-12-04 13:35:01 UTC 
Fixed upstream:

https://github.com/voxik/abrt-ruby/commit/5e0b1d10c512ebfbddd7790e46ea0782d83a0171

https://github.com/voxik/abrt-ruby/commit/c430c5bb37506e7778cf53e9ed19d024b58c6c3b
Comment 10 Jaroslav Reznik 2015-03-03 17:08:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 11 Fedora Update System 2015-09-01 10:34:45 UTC 
rubygem-abrt-0.1.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14748
Comment 12 Fedora Update System 2015-09-01 20:22:25 UTC 
rubygem-abrt-0.1.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rubygem-abrt'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14748
Comment 13 Fedora Update System 2015-09-18 18:59:36 UTC 
rubygem-abrt-0.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.