Bug 17179 - security problem with mgetty
security problem with mgetty
Product: Red Hat Linux
Classification: Retired
Component: mgetty (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Depends On:
  Show dependency treegraph
Reported: 2000-09-01 11:17 EDT by mal
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-09-01 12:28:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description mal 2000-09-01 11:17:14 EDT
Some mgetty filters are vulnerable to an attack
when sender ID (usually fax numbe, but may be set to any string)
has special symbols (like line feed inside).
This way an arbitrary command may be executed.

This is just few cases:
grep '\$2' /usr/share/doc/mgetty-1.1.21/samples/*

/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:    MEMO=$2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.pbm:        Fax:  $2
/usr/share/doc/mgetty-1.1.21/samples/coverpg.ps:    MEMO=$2

and others.
The files like
have $2 escaped as "$2" so these files are OK. 

Those which do not have argument escaped are vulnerable.
similar problems may exist with other mgetty scripts.
Comment 1 Need Real Name 2000-09-01 12:04:38 EDT
Non-Problem.  When assigning variables with blanks in them, NO QUOTES ARE

$ a="a b c d"
$ echo $a
a b c d
$ b=$a
$ echo $b
a b c d

-> no problem here, even though $a contains whitespace.

(Besides, the bug report mixes wildly different types of scripts - new_fax and
coverpg are
used in different surroundings.  If a user calls coverpg with broken environment
and it executes arbitrary programs with his access rights - so what, he can
execute them
Comment 2 mal 2000-09-01 12:28:25 EDT
White spaces are OK, 
but line feed (as I mentioned in the report)
and some other symbols are not

---- file x
a="`echo -e \"A\nB\"`";
if [ $a == "x" ]; then
 echo Y
 echo N

sh x
x: [: too many arguments

if you replace
if [ $a == "x" ]; then
if [ "$a" == "x" ]; then
everything is fine

sh  x

This type of behavior exactly specified in bash manual

Note You need to log in before you can comment on or make changes to this bug.