Bug 1194205 – CVE-2015-1877 xdg-utils: command injection vulnerability due to local variables collision in xdg-open

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1194205 - (CVE-2015-1877) CVE-2015-1877 xdg-utils: command injection vulnerability due to local variables collision in xdg-open

Summary:	CVE-2015-1877 xdg-utils: command injection vulnerability due to local variabl...

Status:	NEW

Aliases:	CVE-2015-1877

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150211,repor...
Keywords:	Security

Depends On:	1194209 1194210 1194211
Blocks:	1194208
	Show dependency tree / graph

Reported:	2015-02-19 05:43 EST by Vasyl Kaigorodov
Modified:	2015-02-25 06:16 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vasyl Kaigorodov 2015-02-19 05:43:51 EST

Command injection was reported [1] in xdg-utils running with dash.
Suggested patch:
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xdg-open.diff;att=1;bug=777722
Upstream bug report:
https://bugs.freedesktop.org/show_bug.cgi?id=89129

This issue only affects systems with "dash" shell set as default system shell.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722

Comment 2 Vasyl Kaigorodov 2015-02-19 05:47:38 EST

Created xdg-utils tracking bugs for this issue:

Affects: fedora-all [bug 1194209]

Comment 3 Ján Rusnačko 2015-02-25 05:13:26 EST

Analysis:

xdg-open is used to open a file or URL in users preferred application. During the process of finding the correct app to run, it recursively searches Desktop file in function search_desktop_file(). This function uses local variable $file to store the path to the searched Desktop file and runs function get_key() on the $file. get_key() searched for 

[Desktop Entry]
Exec=...

in the $file and content of Exec= is later executed.

The problem is that variable name $file is also used earlier in function open_generic() and stores path to the file being opened. Now assuming that system`s shell *does not* reset the content of $file when it is declared as local variable *again*, then the file being opened will be searched as Desktop file. If it contains expected [Desktop Entry] along with Exec=, it leads to arbitrary command execution.

The assumption about reset of local variable contents hold for dash, but not bash:
$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}
testme

$ dash testme 
backfromthedead

$ bash testme 

Also, this does not work if the local variable is initialized:

$ cat testme 
testme() {
   x=backfromthedead
   local x=""
   echo $x
}
testme

$ dash testme 

$ bash testme 

xdg-open as shipped in Fedora and RHEL-7 does initialize $file variable, and uses bash as default /bin/sh.

Comment 4 Ján Rusnačko 2015-02-25 05:15:33 EST

Statement:

This issue did not affect the versions of xdg-utils as shipped with Red Hat Enterprise Linux 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.