From vendor-sec: I got a report yesterday about a vulnerability in the extfs backend of gnome-vfs. This is a backend that lets you implement gnome-vfs backends using scripts that was inherited from the vfs in midnight commander. Mark Cox assigned me the number CAN-2004-0494 for this issue, and recommended an embargo date of July 14th. The core problem is that many of the extfs scripts shipped with gnome-vfs and mc are not careful about user input. For instance, you can do this: alex@greebo /tmp/vfs $ ls -l total 0 -rw-rw-r-- 1 alex alex 0 Jun 16 14:13 \|\ touch\ hacked.deb alex@greebo /tmp/vfs $ gnomevfs-cat "file:///tmp/vfs/| touch hacked.deb#deb:blah" sh: line 1: dpkg-deb: command not found tar: blah: Not found in archive tar: Error exit delayed from previous errors alex@greebo /tmp/vfs $ ls -l total 0 -rw------- 1 alex alex 0 Jun 16 14:14 hacked.deb -rw-rw-r-- 1 alex alex 0 Jun 16 14:13 \|\ touch\ hacked.deb The same thing happens if you use midnight commander to open the file. This particular issue is caused by the "deb" extfs script doing: if ( open(PIPEIN, "dpkg-deb -c $archivename |") ) I haven't looked at it in detail, but its likely that other scripts have similar problems. To exploit someone using this requires you to get a user to open a hand-crafted URI with gnome-vfs or mc. One way to do that with gnome-vfs is to have the user click on a desktop file link (that you created) in nautilus.
This issue also affects RHEL 2.1 Fedora Core is covered by bug 127973
This issue ONLY affects RHEL 2.1
Aug 04 1200UTC - removing embargo
Is mc not available for RHEL 3? Why is this?
Yes, mc was not part of RHEL 3.
Erratum for Fedora Core has been released. When will there be one for RHEL 2.1?
It's in QA right now, as soon as they're done with it, we'll issue the errata.
This will be RHSA-2004:464
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-464.html
SUSE's security team has also audited the extfs shell scripts and came up with some extra fixes.
See attachment #104496 [details] from bug #127973.
Cumulative patch: Attachment #104498 [details] to Bug #127973.
Attachment #104795 [details] to bug #127973 should fix these shell scripts. Please check trpm for correctness.
Bug 127973 has ongoing discussion and work to resolve these and some additional issues.
I updated the extfs scripts in RHEL 2.1, version of patched mc is mc-4.5.51-36.5
The patch for RHEL 2.1 misses fixes for "a". Also the patch should not touch extfs.ini. Some more remarks and questions (about the introduction of functional changes besides fixing quoting issues) have been mailed to Jindrich.
Created attachment 108895 [details] Updated CAN-2004-0494 patch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-464.html
Still a few issues to fix. Will be done soon, but not yet ;)
What is the status of this issue? Have we completely fixed it in our recent errata?
Yes, partial fix for this CAN was included also in the previous errata and it's complete now with releasing the latest mc security errata.