Bug 127974 - CAN-2004-0494 extfs vfs vulnerability in mc
Summary: CAN-2004-0494 extfs vfs vulnerability in mc
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: mc (Show other bugs)
(Show other bugs)
Version: 2.1
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: Jay Turner
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-07-15 21:06 UTC by Josh Bressers
Modified: 2015-01-08 00:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-17 07:08:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updated CAN-2004-0494 patch (77.45 KB, patch)
2004-12-20 14:08 UTC, Jindrich Novy
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:464 normal SHIPPED_LIVE Low: mc security update 2005-01-05 05:00:00 UTC

Description Josh Bressers 2004-07-15 21:06:32 UTC
From vendor-sec:

I got a report yesterday about a vulnerability in the extfs backend of
gnome-vfs. This is a backend that lets you implement gnome-vfs backends
using scripts that was inherited from the vfs in midnight commander.

Mark Cox assigned me the number CAN-2004-0494 for this issue, and
recommended an embargo date of July 14th.

The core problem is that many of the extfs scripts shipped with
gnome-vfs and mc are not careful about user input. For instance, you can
do this:

alex@greebo /tmp/vfs $ ls -l
total 0
-rw-rw-r--    1 alex     alex            0 Jun 16 14:13 \|\ touch\
hacked.deb
alex@greebo /tmp/vfs $ gnomevfs-cat "file:///tmp/vfs/| touch
hacked.deb#deb:blah"
sh: line 1: dpkg-deb: command not found
tar: blah: Not found in archive
tar: Error exit delayed from previous errors
alex@greebo /tmp/vfs $ ls -l
total 0
-rw-------    1 alex     alex            0 Jun 16 14:14 hacked.deb
-rw-rw-r--    1 alex     alex            0 Jun 16 14:13 \|\ touch\
hacked.deb

The same thing happens if you use midnight commander to open the file.

This particular issue is caused by the "deb" extfs script doing:
  if ( open(PIPEIN, "dpkg-deb -c $archivename |") )
I haven't looked at it in detail, but its likely that other scripts have
similar problems.

To exploit someone using this requires you to get a user to open a
hand-crafted URI with gnome-vfs or mc. One way to do that with gnome-vfs
is to have the user click on a desktop file link (that you created) in
nautilus.

Comment 1 Josh Bressers 2004-07-15 21:08:57 UTC
This issue also affects RHEL 2.1

Fedora Core is covered by bug 127973

Comment 2 Josh Bressers 2004-07-15 21:12:46 UTC
This issue ONLY affects RHEL 2.1

Comment 3 Mark J. Cox 2004-08-04 11:55:55 UTC
Aug 04 1200UTC - removing embargo

Comment 4 Leonard den Ottolander 2004-08-18 14:32:34 UTC
Is mc not available for RHEL 3? Why is this?


Comment 5 Mark J. Cox 2004-08-18 14:36:31 UTC
Yes, mc was not part of RHEL 3.

Comment 6 Leonard den Ottolander 2004-09-09 12:43:46 UTC
Erratum for Fedora Core has been released. When will there be one for
RHEL 2.1?

Comment 7 Josh Bressers 2004-09-09 12:49:01 UTC
It's in QA right now, as soon as they're done with it, we'll issue the
errata.

Comment 8 Mark J. Cox 2004-09-09 12:52:26 UTC
This will be RHSA-2004:464

Comment 9 Josh Bressers 2004-09-15 15:15:04 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-464.html


Comment 10 Leonard den Ottolander 2004-09-29 08:49:13 UTC
SUSE's security team has also audited the extfs shell scripts and came
up with some extra fixes.


Comment 11 Leonard den Ottolander 2004-09-29 08:52:42 UTC
See attachment #104496 [details] from bug #127973.


Comment 12 Leonard den Ottolander 2004-09-29 09:01:57 UTC
Cumulative patch: Attachment #104498 [details] to Bug #127973.


Comment 13 Leonard den Ottolander 2004-10-05 19:13:19 UTC
Attachment #104795 [details] to bug #127973 should fix these shell scripts.
Please check trpm for correctness.


Comment 14 Josh Bressers 2004-10-11 13:23:20 UTC
Bug 127973 has ongoing discussion and work to resolve these and some
additional issues.

Comment 15 Jindrich Novy 2004-12-16 13:49:41 UTC
I updated the extfs scripts in RHEL 2.1, version of patched mc is
mc-4.5.51-36.5

Comment 16 Leonard den Ottolander 2004-12-19 12:50:14 UTC
The patch for RHEL 2.1 misses fixes for "a". Also the patch should not
touch extfs.ini. Some more remarks and questions (about the
introduction of functional changes besides fixing quoting issues) have
been mailed to Jindrich.


Comment 17 Jindrich Novy 2004-12-20 14:08:55 UTC
Created attachment 108895 [details]
Updated CAN-2004-0494 patch

Comment 18 Josh Bressers 2005-01-05 15:33:41 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-464.html


Comment 19 Leonard den Ottolander 2005-01-06 13:13:15 UTC
Still a few issues to fix. Will be done soon, but not yet ;)

Comment 20 Josh Bressers 2005-06-17 01:51:16 UTC
What is the status of this issue?  Have we completely fixed it in our recent errata?

Comment 21 Jindrich Novy 2005-06-17 07:08:38 UTC
Yes, partial fix for this CAN was included also in the previous errata and it's
complete now with releasing the latest mc security errata.


Note You need to log in before you can comment on or make changes to this bug.