Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 17179 - security problem with mgetty
security problem with mgetty
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: mgetty (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-01 11:17 EDT by mal
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-01 12:28:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description mal 2000-09-01 11:17:14 EDT 
Some mgetty filters are vulnerable to an attack
when sender ID (usually fax numbe, but may be set to any string)
has special symbols (like line feed inside).
This way an arbitrary command may be executed.

This is just few cases:
grep '\$2' /usr/share/doc/mgetty-1.1.21/samples/*

/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:    MEMO=$2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:        Fax:  $2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.ps:    MEMO=$2

and others.
The files like
/usr/share/doc/mgetty-1.1.21/samples/new_fax.lj:SENDER="$2"
/usr/share/doc/mgetty-1.1.21/samples/new_fax.mail:SENDER="$2"
have $2 escaped as "$2" so these files are OK. 

Those which do not have argument escaped are vulnerable.
similar problems may exist with other mgetty scripts.
Comment 1 Gert Doering 2000-09-01 12:04:38 EDT 
Non-Problem.  When assigning variables with blanks in them, NO QUOTES ARE
NEEDED.

$ a="a b c d"
$ echo $a
a b c d
$ b=$a
$ echo $b
a b c d

-> no problem here, even though $a contains whitespace.

(Besides, the bug report mixes wildly different types of scripts - new_fax and
coverpg are
used in different surroundings.  If a user calls coverpg with broken environment
variables,
and it executes arbitrary programs with his access rights - so what, he can
execute them
anyway)
Comment 2 mal 2000-09-01 12:28:25 EDT 
White spaces are OK, 
but line feed (as I mentioned in the report)
and some other symbols are not
example:

---- file x
a="`echo -e \"A\nB\"`";
if [ $a == "x" ]; then
 echo Y
else
 echo N
fi
------

sh x
x: [: too many arguments
N

if you replace
if [ $a == "x" ]; then
to
if [ "$a" == "x" ]; then
everything is fine

sh  x
N

This type of behavior exactly specified in bash manual
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.