Bug 131829 - a2ps executes shell commands from filenames
Summary: a2ps executes shell commands from filenames
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: a2ps
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: FC3Blocker
TreeView+ depends on / blocked
 
Reported: 2004-09-05 13:13 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2004-09-07 17:01:07 UTC


Attachments (Terms of Use)
Patch that fixes this problem (1.65 KB, patch)
2004-09-05 13:15 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2004-09-05 13:13:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
There was a vulnerability announced on full disclosure:

http://marc.theaimsgroup.com/?l=full-disclosure&m=109334851517137&w=2

I've tested this at length and the patch is good. The risk is that
when a user downloads a "trusted" tarball and then does a wildcard
print of all files in a directory, the shell can execute some of the
filenames.

The root cause of this hole is that popen() is used without escaping
the characters in the filename.

Version-Release number of selected component (if applicable):
a2ps-4.13b-40

How reproducible:
Always

Steps to Reproduce:
1. touch 'x`echo >&2 42`.c'
2. a2ps -o /dev/null *.c

Actual Results:  42

Expected Results:  The contents of x`echo >&2 42` printed instead of
executed.

Additional info:

I will attach a patch for this. As far as security severity, I would
classify this as low to medium risk. It is very unexpected for
filenames to be executed instead of printed.

Comment 1 Steve Grubb 2004-09-05 13:15:19 UTC
Created attachment 103479 [details]
Patch that fixes this problem

Please apply before fc3test2 is finalized.

Comment 2 Tim Waugh 2004-09-07 14:45:14 UTC
Unable to verify.  Did you actually try this with 4.13b-40?

Comment 3 Steve Grubb 2004-09-07 17:01:07 UTC
I just re-tested the whole thing and it looks fine, too.

/usr/bin/file -L "${filename}"

This should be safe. Somewhere along the way I must have used an older
copy by accident. Sorry.


Note You need to log in before you can comment on or make changes to this bug.