from http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html === [Full-Disclosure] a2ps executing shell commands from file name From: Rudolf Polzer (divzerogmail.com) Date: Tue Aug 24 2004 - 06:01:47 CDT Severity: Medium Short description: a2ps executes arbitrary shell commands from a given file name Affected: GNU a2ps 4.13, a nice syntax-highlighting formatter from source code to postscript Operating systems: all systems where a2ps 4.13 compiles and which have a bourne or C shell by default used by system(). On other systems the patch might not work while the problem is probably still there. Description: a2ps can execute shell commands from file names. Not really severe, unless you use a2ps with wildcards from a world-writable directory like /tmp. I've also seen someone using a2ps in a pure-ftpd upload script which is executed after successful upload of a file. Workaround: Do not use wildcards in a2ps command lines except if you do that in a directory only you can create files in and where you know the contents. This might also apply to other tools (I did not check them), so be careful. How to reproduce: $ touch 'x`echo >&2 42`.c' $ a2ps -o /dev/null *.c 42 [x`echo >&2 42`.c (C): 0 pages on 0 sheets] [Total: 0 pages on 0 sheets] saved into the file `/dev/null' $ a2ps -V GNU a2ps 4.13 Written by Akim Demaille, Miguel Santana. How I found it: $ touch 'LAN (div0)' $ a2ps -o /dev/null LAN* sh: -c: line 1: syntax error near unexpected token `(' sh: -c: line 1: `/usr/bin/file -L LAN (div0)' [LAN (div0) (plain): 0 pages on 0 sheets] [Total: 0 pages on 0 sheets] saved into the file `/dev/null' How I fixed it: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain Patch status: Except for FreeBSD, no distribution seems to currently have the patch (I sent it in to the FreeBSD people, the Debian a2ps maintainer "mhatta at debian dot org" and "bug-a2ps at gnu dot org" at the same time using Cc:). The patch might not work on Windows while the problem seemingly still exists when command.com is used as shell interpreter (but it might require a prepared floppy). The file name for exploiting it may be different, however. MS-DOS probably is safe. I cannot think of anything malicious that you can do in eight characters. However, a prepared floppy could contain a file named a|foo|.txt and a foo.bat containing "what you want". Well, anyway, I do not know if a2ps runs on DOS at all. -- / --- Where bots rampage, I'm there to take them down! --- \ / ------ Where trouble arises, I'm there to cause it! ------ \ \ Where an enemy tries to frag me, victory will be mine!!!1! / {{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org << _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html === ------- Additional Comments From pekkas 2004-12-21 09:19:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages have been created for RHL73, RHL9, and FC1, by taking the latest packages, and adding the identical patch to each. The patch was taken from Debian, but it's the same as quoted here. http://www.netcore.fi/pekkas/linux/a2ps-4.13b-19.1.legacy.src.rpm (RHL73) http://www.netcore.fi/pekkas/linux/a2ps-4.13b-28.1.legacy.src.rpm (RHL9) http://www.netcore.fi/pekkas/linux/a2ps-4.13b-30.1.legacy.src.rpm (FC1) SHA1sums: d126bfb504f7457d08815b59e331954b929518d1 a2ps-4.13b-19.1.legacy.src.rpm 5c230a5cb7d50e610201db9ac3f50406fce66967 a2ps-4.13b-28.1.legacy.src.rpm 9f2cd572a97212cf9dd4bdd2a5f2303d8a5be225 a2ps-4.13b-30.1.legacy.src.rpm Changelog: * Tue Dec 21 2004 Pekka Savola <pekkas 4.13b-28.1.legacy - - Fix CAN-2004-1170 (#2338) w/ patch from Debian. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFByHclGHbTkzxSL7QRAkyzAJ9fFwexR7kWRFKrD/KSno/GXtKEOwCfRrN9 DeneOIit18znvzJyUi8nIeI= =+bMU -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:30 ------- This bug previously known as bug 2338 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2338 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown operating system Windows XP. Setting to default OS "Linux". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was bugzilla.fedora.us. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for a2ps-4.13b-28.1.legacy.src.rpm for RHL9: * only change to spec file is the addition of the one patch to fix this issue. * patch is identical to FreeBSD patch mentioned above * package build and installs fine * seems to run fine +PUBLISH (Am I supposed to *remove* "publish-rhl9" from the whiteboard now? Sorry, I'm confused.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCeRrEz8vebpLJCdYRAhqLAJ4mQQSvFy+yjVv0cyNNlhvzMoFO7QCfVqd/ xRofzpDg18D4smkaSqSjTQA= =sCcA -----END PGP SIGNATURE-----
Yes, that obviates the need for anyone else to do so :)
Okay -- just wanted to be sure that one "vote" was sufficient, and that the whiteboard tags are actually inverse from what makes sense to me. :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++PUBLISH for RHL 7.3 RHL 7.3 Packages: 2ps-4.13b-19.1.legacy.src.rpm SHA1 hecksums verify okay. * I downloaded the src.rpm file, verified the sha1 checksum. * Verified changelogs match except for CAN-2004-1170 fix and redhat rebuild. * Verified changes with rpmlint/rpmdiff. Only changes are U+G ownership changes on the patch files, addition of a patch for CAN-2004-1170, and changes to the spec file. * Unpacked the rpms, and did a "diff -uNr" on the original and new contents. Verified spec file changes are as expected, and only other changes are the patch. DID NOT VERIFY CONTENTS OF THE PATCH. Only verified contents of the spec file, and that nothing else changed. * Rebuilt package (no problems) on two machines (double the checks!) * Tested the exploit to see that it worked with the old package. * Installed the new package. * Tested the exploit to see that it now fails. Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDNEh94jZRbknHoPIRAg6KAJ4nuTJ/dEuD1zu2qEgCMyXliS61vgCeNIwb 8YbPjeH5zR+oYH2O3Tc+Alg= =dQkg -----END PGP SIGNATURE-----
Publish for FC1 is still needed..
Oops, and the patch contents still need to be reviewed. (The update proposer could otherwise inject e.g., root exploits or whatever in the patches!).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++PUBLISH for RHL 7.3 This is a _second_ (updated) PUBLISH vote for me (only count them as _one_ vote, since they are duplicates) since last time I didn't verify the patch contents (and this time I did). RHL 7.3 Packages: enscript-1.6.1-19.73.1.legacy.src.rpm SHA1 hecksums verify okay. * Verified changelogs match except for bug fix and redhat rebuild. * Verified changes with rpmlint/rpmdiff. Only changes are addition of the patch, changing of spec file, and the changing of user/group on files. * Unpacked the rpms, and did a "diff -uNr" on the original and new contents. Verified spec file changes are as expected, and only other change is the new patch. Verified the patch is the same as the one pointed to in this bug entry. * Rebuilt package (no problems) on two RHL 7.3 machines without problems. * Tested the exploit to see that it worked with the old package. * Installed the new package without problems. * Tested the exploit to see that it now fails (it does). Vote for pushing to updates-testing for RHL 7.3. ++PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDVp+G4jZRbknHoPIRAhOqAJ4sqmiJ5oOLKT/bglx/bX296mCQXwCgrJ9o 8vJovcakb9PugOdVkQgUGuE= =KGy0 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++PUBLISH for FC 1 FC 1 Packages: a2ps-4.13b-30.1.legacy.src.rpm SHA1 hecksum 9f2cd572a97212cf9dd4bdd2a5f2303d8a5be225 verifies okay. * Verified changelogs match except for bug fix addition. * Verified changes with rpmlint/rpmdiff. Only changes are addition of the patch, changing of spec file, and the changing of user/group on files. * Unpacked the rpms, and did a "diff -uNr" on the original and new contents. Verified spec file changes are as expected, and only other change is the new patch. * Verified the patch is the same as the one pointed to in this bug entry. Package looks okay. All changes to the package are as expected. Did not try to build or run the package though as I don't run FC1. Vote for pushing to updates-testing for FC 1. ++PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDVqW04jZRbknHoPIRArJMAKCQAlhpn1IBcX79C9GmFPUOrjGt8ACeJ3TH QdbIXRNpjI3TNPLEX9ideRk= =YOMo -----END PGP SIGNATURE-----
Thanks!
pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signatures OK, installs OK. This and previous version generate identical .ps file out of a text. rpm-build-compare.sh on the binaries looks sane. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDexHMGHbTkzxSL7QRAtoLAJ9KJHFvHBrqOoNY80z82YxDqJNQWQCglwzs XAYEnozv1gPaSQRSKt6jF6w= =6t/K -----END PGP SIGNATURE----- Timeout in 4 weeks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 Package: a2ps-4.13b-19.2.legacy.i386.rpm SHA1 hecksum b0ebb139fd78a887831f8528458d969c42841283 verifies okay. Installed fine. Properly saved /usr/share/a2ps/afm/fonts.map.rpmsave. Printed file properly. All looks good. Vote for release for RHL 7.3 ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDfiv94jZRbknHoPIRAkoyAJ9EY+S7EvgPbMnPhFcJV6FDq0sC7gCgt/4o +NtLZ/SGVQwcB0l4yEoJQts= =lgcC -----END PGP SIGNATURE-----
Awesome :)
Timeout over.
Packages were released.