Bug 17179 - security problem with mgetty
Summary: security problem with mgetty
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mgetty
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-01 15:17 UTC by mal
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-09-01 16:28:27 UTC
Embargoed:


Attachments (Terms of Use)

Description mal 2000-09-01 15:17:14 UTC
Some mgetty filters are vulnerable to an attack
when sender ID (usually fax numbe, but may be set to any string)
has special symbols (like line feed inside).
This way an arbitrary command may be executed.

This is just few cases:
grep '\$2' /usr/share/doc/mgetty-1.1.21/samples/*

/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:    MEMO=$2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:        Fax:  $2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.ps:    MEMO=$2

and others.
The files like
/usr/share/doc/mgetty-1.1.21/samples/new_fax.lj:SENDER="$2"
/usr/share/doc/mgetty-1.1.21/samples/new_fax.mail:SENDER="$2"
have $2 escaped as "$2" so these files are OK. 

Those which do not have argument escaped are vulnerable.
similar problems may exist with other mgetty scripts.

Comment 1 Gert Doering 2000-09-01 16:04:38 UTC
Non-Problem.  When assigning variables with blanks in them, NO QUOTES ARE
NEEDED.

$ a="a b c d"
$ echo $a
a b c d
$ b=$a
$ echo $b
a b c d

-> no problem here, even though $a contains whitespace.

(Besides, the bug report mixes wildly different types of scripts - new_fax and
coverpg are
used in different surroundings.  If a user calls coverpg with broken environment
variables,
and it executes arbitrary programs with his access rights - so what, he can
execute them
anyway)

Comment 2 mal 2000-09-01 16:28:25 UTC
White spaces are OK, 
but line feed (as I mentioned in the report)
and some other symbols are not
example:

---- file x
a="`echo -e \"A\nB\"`";
if [ $a == "x" ]; then
 echo Y
else
 echo N
fi
------

sh x
x: [: too many arguments
N

if you replace
if [ $a == "x" ]; then
to
if [ "$a" == "x" ]; then
everything is fine

sh  x
N

This type of behavior exactly specified in bash manual


Note You need to log in before you can comment on or make changes to this bug.