Bug 131829 - a2ps executes shell commands from filenames
a2ps executes shell commands from filenames
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: a2ps (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: Security
Depends On:
Blocks: FC3Blocker
  Show dependency treegraph
 
Reported: 2004-09-05 09:13 EDT by Steve Grubb
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-07 13:01:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch that fixes this problem (1.65 KB, patch)
2004-09-05 09:15 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2004-09-05 09:13:11 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
There was a vulnerability announced on full disclosure:

http://marc.theaimsgroup.com/?l=full-disclosure&m=109334851517137&w=2

I've tested this at length and the patch is good. The risk is that
when a user downloads a "trusted" tarball and then does a wildcard
print of all files in a directory, the shell can execute some of the
filenames.

The root cause of this hole is that popen() is used without escaping
the characters in the filename.

Version-Release number of selected component (if applicable):
a2ps-4.13b-40

How reproducible:
Always

Steps to Reproduce:
1. touch 'x`echo >&2 42`.c'
2. a2ps -o /dev/null *.c

Actual Results:  42

Expected Results:  The contents of x`echo >&2 42` printed instead of
executed.

Additional info:

I will attach a patch for this. As far as security severity, I would
classify this as low to medium risk. It is very unexpected for
filenames to be executed instead of printed.
Comment 1 Steve Grubb 2004-09-05 09:15:19 EDT
Created attachment 103479 [details]
Patch that fixes this problem

Please apply before fc3test2 is finalized.
Comment 2 Tim Waugh 2004-09-07 10:45:14 EDT
Unable to verify.  Did you actually try this with 4.13b-40?
Comment 3 Steve Grubb 2004-09-07 13:01:07 EDT
I just re-tested the whole thing and it looks fine, too.

/usr/bin/file -L "${filename}"

This should be safe. Somewhere along the way I must have used an older
copy by accident. Sorry.

Note You need to log in before you can comment on or make changes to this bug.