Bug 17179 - security problem with mgetty
security problem with mgetty
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: mgetty (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-01 11:17 EDT by mal
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-01 12:28:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mal 2000-09-01 11:17:14 EDT
Some mgetty filters are vulnerable to an attack
when sender ID (usually fax numbe, but may be set to any string)
has special symbols (like line feed inside).
This way an arbitrary command may be executed.

This is just few cases:
grep '\$2' /usr/share/doc/mgetty-1.1.21/samples/*

/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:    MEMO=$2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:        Fax:  $2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.ps:    MEMO=$2

and others.
The files like
/usr/share/doc/mgetty-1.1.21/samples/new_fax.lj:SENDER="$2"
/usr/share/doc/mgetty-1.1.21/samples/new_fax.mail:SENDER="$2"
have $2 escaped as "$2" so these files are OK. 

Those which do not have argument escaped are vulnerable.
similar problems may exist with other mgetty scripts.
Comment 1 Need Real Name 2000-09-01 12:04:38 EDT
Non-Problem.  When assigning variables with blanks in them, NO QUOTES ARE
NEEDED.

$ a="a b c d"
$ echo $a
a b c d
$ b=$a
$ echo $b
a b c d

-> no problem here, even though $a contains whitespace.

(Besides, the bug report mixes wildly different types of scripts - new_fax and
coverpg are
used in different surroundings.  If a user calls coverpg with broken environment
variables,
and it executes arbitrary programs with his access rights - so what, he can
execute them
anyway)
Comment 2 mal 2000-09-01 12:28:25 EDT
White spaces are OK, 
but line feed (as I mentioned in the report)
and some other symbols are not
example:

---- file x
a="`echo -e \"A\nB\"`";
if [ $a == "x" ]; then
 echo Y
else
 echo N
fi
------

sh x
x: [: too many arguments
N

if you replace
if [ $a == "x" ]; then
to
if [ "$a" == "x" ]; then
everything is fine

sh  x
N

This type of behavior exactly specified in bash manual

Note You need to log in before you can comment on or make changes to this bug.