Bug 131829 - a2ps executes shell commands from filenames
Summary: a2ps executes shell commands from filenames
Alias: None
Product: Fedora
Classification: Fedora
Component: a2ps
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
Keywords: Security
Depends On:
Blocks: FC3Blocker
TreeView+ depends on / blocked
Reported: 2004-09-05 13:13 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2004-09-07 17:01:07 UTC

Attachments (Terms of Use)
Patch that fixes this problem (1.65 KB, patch)
2004-09-05 13:15 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2004-09-05 13:13:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)

Description of problem:
There was a vulnerability announced on full disclosure:


I've tested this at length and the patch is good. The risk is that
when a user downloads a "trusted" tarball and then does a wildcard
print of all files in a directory, the shell can execute some of the

The root cause of this hole is that popen() is used without escaping
the characters in the filename.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. touch 'x`echo >&2 42`.c'
2. a2ps -o /dev/null *.c

Actual Results:  42

Expected Results:  The contents of x`echo >&2 42` printed instead of

Additional info:

I will attach a patch for this. As far as security severity, I would
classify this as low to medium risk. It is very unexpected for
filenames to be executed instead of printed.

Comment 1 Steve Grubb 2004-09-05 13:15:19 UTC
Created attachment 103479 [details]
Patch that fixes this problem

Please apply before fc3test2 is finalized.

Comment 2 Tim Waugh 2004-09-07 14:45:14 UTC
Unable to verify.  Did you actually try this with 4.13b-40?

Comment 3 Steve Grubb 2004-09-07 17:01:07 UTC
I just re-tested the whole thing and it looks fine, too.

/usr/bin/file -L "${filename}"

This should be safe. Somewhere along the way I must have used an older
copy by accident. Sorry.

Note You need to log in before you can comment on or make changes to this bug.