127263 – CAN-2004-0494 extfs vfs vulnerability in gnome-vfs2 and gnome-vfs

Bug 127263 - CAN-2004-0494 extfs vfs vulnerability in gnome-vfs2 and gnome-vfs

Summary: CAN-2004-0494 extfs vfs vulnerability in gnome-vfs2 and gnome-vfs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnome-vfs2
Sub Component:
Version:	2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jonathan Blandford
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-07-05 11:58 UTC by Alexander Larsson
Modified:	2013-04-02 04:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-10-15 14:45:21 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Larsson 2004-07-05 11:58:21 UTC

From vendor-sec:

I got a report yesterday about a vulnerability in the extfs backend of
gnome-vfs. This is a backend that lets you implement gnome-vfs backends
using scripts that was inherited from the vfs in midnight commander.

Mark Cox assigned me the number CAN-2004-0494 for this issue, and
recommended an embargo date of July 14th.

The core problem is that many of the extfs scripts shipped with
gnome-vfs and mc are not careful about user input. For instance, you can
do this:

alex@greebo /tmp/vfs $ ls -l
total 0
-rw-rw-r--    1 alex     alex            0 Jun 16 14:13 \|\ touch\
hacked.deb
alex@greebo /tmp/vfs $ gnomevfs-cat "file:///tmp/vfs/| touch
hacked.deb#deb:blah"
sh: line 1: dpkg-deb: command not found
tar: blah: Not found in archive
tar: Error exit delayed from previous errors
alex@greebo /tmp/vfs $ ls -l
total 0
-rw-------    1 alex     alex            0 Jun 16 14:14 hacked.deb
-rw-rw-r--    1 alex     alex            0 Jun 16 14:13 \|\ touch\
hacked.deb

The same thing happens if you use midnight commander to open the file.

This particular issue is caused by the "deb" extfs script doing:
  if ( open(PIPEIN, "dpkg-deb -c $archivename |") )
I haven't looked at it in detail, but its likely that other scripts have
similar problems.

To exploit someone using this requires you to get a user to open a
hand-crafted URI with gnome-vfs or mc. One way to do that with gnome-vfs
is to have the user click on a desktop file link (that you created) in
nautilus.

For the case of gnome-vfs, I think the best approach to fixing this is
to just disable extfs. It doesn't work well since chained URI handling
isn't quite working, and the only way to use it is to type in the uri
manually. I'm not sure how used this is in midnight commander though,
maybe it can't just be disabled there.

The easiest way to disable it is by removing
/usr/lib/gnome-vfs-2.0/modules/libextfs.so and the extfs line in
/etc/gnome-vfs-2.0/modules/default-modules.conf.
Also, the same goes for gnome-vfs 1.x, with the files being
/usr/lib/vfs/modules/libextfs.so and
/etc/vfs/modules/default-modules.conf

Comment 1 Mark J. Cox 2004-08-04 11:56:22 UTC

Aug 04 1200UTC - removing embargo

Note You need to log in before you can comment on or make changes to this bug.