Bug 1165078 (CVE-2014-8990) - CVE-2014-8990 lsyncd: command injection through backticks in a filename
Summary: CVE-2014-8990 lsyncd: command injection through backticks in a filename
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-8990
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165079 1165080 1383855 1383857
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-18 09:51 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:23 UTC (History)
8 users (show)

Fixed In Version: lsyncd 2.1.6
Clone Of:
Environment:
Last Closed: 2017-04-12 13:51:55 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-11-18 09:51:06 UTC 
It was reported [1] that lsyncd is vulnerable to command injection.
If a filename has "`" (backticks), what betwwen backticks will be executed with lsyncd process privileges.
Upstream patch is at [2].

[1]: https://github.com/axkibe/lsyncd/issues/220
[2]: https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
Comment 1 Vasyl Kaigorodov 2014-11-18 09:51:34 UTC 
Created lsyncd tracking bugs for this issue:

Affects: epel-all [bug 1165079]
Affects: fedora-all [bug 1165080]
Comment 2 Murray McAllister 2014-11-19 00:14:35 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/11/19/1
Comment 3 Martin Prpič 2014-11-20 08:52:49 UTC 
MITRE assigned CVE-2014-8990 to this issue:

http://seclists.org/oss-sec/2014/q4/699

Note that there is a concern from MITRE that the fix is incomplete:

The MITRE CVE team does not have a Lua expert. The code change adds:

  local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
  local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')

This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?
Comment 4 Martin Prpič 2014-11-26 09:30:04 UTC 
(In reply to Martin Prpic from comment #3)
> MITRE assigned CVE-2014-8990 to this issue:
> 
> http://seclists.org/oss-sec/2014/q4/699
> 
> Note that there is a concern from MITRE that the fix is incomplete:
> 

An alternate patch was proposed on oss-sec:

http://seclists.org/oss-sec/2014/q4/796
Comment 5 Fedora Update System 2014-12-03 01:01:07 UTC 
lsyncd-2.1.4-4.fc20.1 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-03 01:04:44 UTC 
lsyncd-2.1.4-4.fc19.1 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-06 10:10:08 UTC 
lsyncd-2.1.5-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-12-06 17:09:49 UTC 
lsyncd-2.1.5-6.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-12-06 17:10:27 UTC 
lsyncd-2.1.4-4.el5.1.1 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-12-06 17:11:33 UTC 
lsyncd-2.1.4-4.el6.1.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-06-29 18:38:46 UTC 
lsyncd-2.1.5-0.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Jason Taylor 2017-01-14 15:15:42 UTC 
This should be resolved now in all versions available in fedora/epel.
Note You need to log in before you can comment on or make changes to this bug.