Bug 1077059 (CVE-2014-2527, CVE-2014-2528) - CVE-2014-2527 CVE-2014-2528 kdirstat: insufficient quote escaping leading to arbitrary command execution
Summary: CVE-2014-2527 CVE-2014-2528 kdirstat: insufficient quote escaping leading to ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-2527, CVE-2014-2528
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1077060 1077061
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-17 06:17 UTC by Murray McAllister
Modified: 2019-09-29 13:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-02 02:59:24 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-03-17 06:17:37 UTC
Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution.

The original report is regarding single quotes. Testing with the Fedora revealed the issue there was with double quotes.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659

Comment 1 Murray McAllister 2014-03-17 06:18:33 UTC
Created k4dirstat tracking bugs for this issue:

Affects: fedora-all [bug 1077061]

Comment 2 Murray McAllister 2014-03-17 06:18:37 UTC
Created kdirstat tracking bugs for this issue:

Affects: fedora-19 [bug 1077060]

Comment 3 Murray McAllister 2014-03-17 06:22:42 UTC
CVE request: http://www.openwall.com/lists/oss-security/2014/03/17/2

Comment 4 Murray McAllister 2014-03-19 02:06:21 UTC
MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects Fedora)

MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the Debian report, and fixed via https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

Comment 5 Murray McAllister 2014-03-19 02:07:39 UTC
(In reply to Murray McAllister from comment #4)
> MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects
> Fedora)
> 
> MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the
> Debian report, and fixed via
> https://bitbucket.org/jeromerobert/k4dirstat/commits/
> 1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp

Reference: http://seclists.org/oss-sec/2014/q1/590

Comment 6 Dmitrij S. Kryzhevich 2014-03-19 08:57:39 UTC
Working.

Comment 7 Dmitrij S. Kryzhevich 2014-03-19 09:01:01 UTC
I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how to resturn this change.

Comment 8 Murray McAllister 2014-03-19 09:28:39 UTC
(In reply to Dmitrij S. Kryzhevich from comment #7)
> I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how
> to resturn this change.

Hello,

Thanks for looking at this. I have put it back in the summary (there is an "edit" button near the title of the page).

For bugs like this one (filed against the Security Response Product), we leave them in the "NEW" state until everywhere is fixed, and don't assign them to people. For the trackers/product specific bugs, such as bug 1077061 and bug 1077060, you can change their state and assign those to yourself.

http://seclists.org/oss-sec/2014/q1/590 has some discussion about the issue. I am unsure if there is a patch yet for the use of " characters :(

Comment 9 Dmitrij S. Kryzhevich 2014-03-19 09:55:14 UTC
Thanks.

I think we could use upstream patch as is ( http://paste.fedoraproject.org/86626/52224521/ )
Gained var "QString expanded" just go to shell in the way it is formatted so there no need to make difference between ' and " in this part of code. Substitution for file/directory name go to the following sting:
rm -rf %p
There are no any spectial signs here.

But still I will run few tests.


And one more. It was a suprise for me that there is a new upstream here (  bitbucket.org/jeromerobert/k4dirstat ).

Comment 10 Dmitrij S. Kryzhevich 2014-03-19 10:00:12 UTC
Too many mistypes. My bad.

Comment 11 Dmitrij S. Kryzhevich 2014-03-20 03:20:08 UTC
Looks like this patch fix all ' and " issues. Will submit as update.

Comment 12 Fedora Update System 2014-03-30 06:05:24 UTC
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-03-30 06:11:32 UTC
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.