Bug 493157 - rpmbuild allows names and versions/releases like: ../../../
Summary: rpmbuild allows names and versions/releases like: ../../../
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 10
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-31 20:02 UTC by seth vidal
Modified: 2013-07-29 01:57 UTC (History)
8 users (show)

Fixed In Version: 4.6.1-1.fc10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-04 21:11:12 UTC
Type: ---


Attachments (Terms of Use)

Description seth vidal 2009-03-31 20:02:25 UTC
Description of problem:
look at this spec:
http://skvidal.fedorapeople.org/misc/foo-1.1.spec


build that spec.
note where the files end up being written/built.

cry softly into your keyboard when you think about %clean

<shudder>
so I think maybe ~, /, and .. among anything else you can think of need to be stricken from pkg name/ver/rel fields?

Comment 1 Jindrich Novy 2009-04-06 08:23:43 UTC
Fixed upstream.

~,/ and .. are no more permitted in NVR.

Comment 4 Panu Matilainen 2009-04-09 13:10:26 UTC
Fixed in rawhide now, keeping open for F10 tracking.

Comment 5 Tomas Hoger 2009-04-09 13:25:06 UTC
Removing group restriction.

Comment 6 Jeff Johnson 2009-04-09 21:00:31 UTC
FYI: the issue of  wild characters in Name: was reported to a vendor-sec representative
in December and fixed @rpm5.org by adding PCRE validation patterns for all tags, not
just spot checking NVR. The issue is considerably more complex than, say,
   Name: ~;
and can be exercised by any script, not just rpmbuild, that constructs file paths
from RPM package tags.

Not that vendor-sec is worth much these days ...

Comment 7 Jeff Johnson 2009-04-10 19:10:30 UTC
Um, these issues are hardly fixed by preventing '/' and '~' and '..'.

After 30 minutes of dinking, there are (some) of the flaws I found (note
that I'm not even a professional "black hat", I'm quite sure that
additional paranoia and malice might have reduced 30 minutes
to something much less).

For starters, ~ is unnecessary when
   Name: whatever;cd;
is possible.

And there are eval contexts with '<' available that make
failing a build if/when a '/' is present pointless:

    Name: whatever;cd;cat<$SHELL>$'057'tmp$'057'myshell

Note that similar but much more serious exploits are possible
using /dev/tcp/HOSTNAME/PORT importing (and executing) a rootkit.

I suggest that you commit to permitted character sets in specific tag contents
and undertake explicit verification rather than fooling yourself with silliness like

    But you can't mention '/' or '~' or ".." in name/version/release!

instead. It really isn't __THAT__ hard to add an explicit permitted character set
in tag content like RPMTAG_NAME and RPMTAG_VERSION etc etc.

YMMV. Have fun!

Comment 8 Fedora Update System 2009-05-18 11:48:58 UTC
rpm-4.6.1-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rpm-4.6.1-1.fc10

Comment 9 Fedora Update System 2009-05-20 00:53:37 UTC
rpm-4.6.1-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214

Comment 10 Fedora Update System 2009-06-04 21:11:01 UTC
rpm-4.6.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.