Bug 526513 - (CVE-2009-5067) CVE-2009-5067 html2ps: arbitrary file disclosure in SSI directives
CVE-2009-5067 html2ps: arbitrary file disclosure in SSI directives
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://user.it.uu.se/~jan/html2ps.html
impact=moderate,source=debian,reporte...
: Security
Depends On: 530386 530398 530403 586356 587324
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-30 13:26 EDT by Vincent Danen
Modified: 2012-10-05 16:32 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-25 06:02:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 548633 None None None Never

  None (edit)
Description Vincent Danen 2009-09-30 13:26:22 EDT
It was reported [1] that html2ps suffers from an arbitrary file disclosure in SSI directives, as noted via the exploit [2] posted to PacketStorm.  This has not been addressed upstream from what I can tell.  If html2ps is called via a web page that allows a user to upload the content to convert to ps, it could allow for abitrary file content disclosure based on the permissions of the user running html2ps.

This would affect html2ps in Fedora 10, 11, rawhide, and EPEL 5.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
[2] http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt
Comment 1 Vincent Danen 2009-10-20 12:44:21 EDT
This was not reported upstream at all, so I emailed the author.  He isn't really maintaining html2ps anymore, but did provide the following patch to disable SSI support:

*** 2526,2530 ****
        $inc="";
        $file=$3;
!       if($1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) {
          if(substr($file,0,1) ne "/") {
            $file=$B2.$file;
--- 2526,2530 ----
        $inc="";
        $file=$3;
!       if(0 && $1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) {
          if(substr($file,0,1) ne "/") {
            $file=$B2.$file;

He has, however, indicated that he will try to come up with a better fix.  I think it unlikely that many people would be using html2ps as a CGI to parse untrusted user input, so it may be prudent to disable the support altogether if we do not get an appropriate fix or cannot come up with one.
Comment 3 Vincent Danen 2009-10-22 11:36:05 EDT
Upstream has released 1.0b6 to address this issue:

  091021 1.0b6   "Security" fix. Changed behavior for SSI, to avoid having
                 arbitrary readable files disclosed on a web server that uses
                 html2ps in a web application (cgi script etc), allowing HTML
                 files to be uploaded for conversion. Setting up a service like
                 this is begging for trouble in my opinion. (Is /bin/cat also
                 a vulnerability, since one can use it in a web app, allowing
                 uploading arbitrary parameters to it?)

Could you update to the b6 release?  The diff is quite small so patching would be an option as well, but because the only change in this version is this fix, I think it would be better to update to the latest version.

http://user.it.uu.se/~jan/html2ps.html
Comment 7 Petr Pisar 2010-04-27 07:50:36 EDT
New upstream fix does two things: disable SSI by default and checks for ".." in file path.

Problem is the second thing is done by m// operator that replaces $` and $' variables that are used later.

IOW, the fix introduce bug
Comment 8 Petr Pisar 2010-04-27 08:00:38 EDT
(In reply to comment #7)
IOW, the fix introduce regression. I have proposed following fix to upstream:

diff --git a/html2ps b/html2ps
index 98d3b8c..b6fb943 100755
--- a/html2ps
+++ b/html2ps
@@ -2525,6 +2525,7 @@ sub Subst{
     while(/<!--#(include|config|echo)\s+(\w+)\s*="([^"]+)"\s*-->/) {
       $inc="";
       $file=$3;
+      my ($prefix, $suffix) = ($`,$');
       if($1 eq "include" && ($file !~m"^/|\.\." || $opt_r)) {
         if(substr($file,0,1) ne "/") {
           $file=$B2.$file;
@@ -2545,7 +2546,7 @@ sub Subst{
       } elsif ($1 eq "echo") {
         $inc=$var{$3};
       }
-      $_=$`.$inc.$';
+      $_=$prefix.$inc.$suffix;
     }
   }
   s/(&shy;?|&#173;?|<!--hy-->)/)HY(/g;
Comment 9 Vincent Danen 2010-04-29 11:34:22 EDT
Petr, have you heard from upstream yet regarding this?  Is this fix suitable to fix the regression and something they will be incorporating upstream?

Thanks.
Comment 11 Petr Pisar 2010-04-29 17:01:39 EDT
No, I haven't. However I think the patch is very trivial and bug in 1.0b6 upstream version is obvious. This is what I sent to upstream:

===Begining of mail===
Date: Tue, 27 Apr 2010 13:30:50 +0200
From: Petr Pisar <ppisar@redhat.com>
To: jan@it.uu.se
Subject: html2ps-1.0b6 SSI fix breaks document composition

Hello,

while reviewing html2ps-1.0b6 release because of SSI directory traversal bug,
I found your fix introduced regression:

- if($1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) {
+ if($1 eq "include" && ($file !~m"(^/|\.\.)" || $opt_r)) {

m/// operator replaces $` and $' variables if match succeeds. However these
variables are used later on to complete $_. This is reason why former code used
susbtr() instead of match operator.

Simple fix is to store those two variables and retrieve their content at the
end:

[the above quoted patch from comment #8]

This is testcase where 1.0b6 dismisses everything and pastes just a part of
first included file name matching m"^/|..":

<html>
    <body>
        <p>Should include (README):</p>
        <!--#include file="README"-->
        <p>Should not include (../etc/passwd):</p>
        <!--#include file="../etc/passwd"-->
        <p>Should chroot (/etc/passwd):</p>
        <!--#include file="/etc/passwd"-->
    </body>
</html>
===End of mail===

Thus I have not waited longer and fixed the code in RHEL6 on my own.
Comment 12 Fedora Update System 2010-05-03 06:49:45 EDT
html2ps-1.0-0.3.b5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/html2ps-1.0-0.3.b5.fc11
Comment 13 Fedora Update System 2010-05-03 06:50:21 EDT
html2ps-1.0-0.4.b5.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/html2ps-1.0-0.4.b5.fc12
Comment 14 Fedora Update System 2010-05-03 06:50:28 EDT
html2ps-1.0-0.2.b5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/html2ps-1.0-0.2.b5.el5
Comment 15 Petr Pisar 2010-05-07 08:42:35 EDT
Upstream has accepted proposed patch (comment #8) and released new version 1.0b7.
Comment 16 Fedora Update System 2010-05-25 14:37:35 EDT
html2ps-1.0-0.3.b5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-05-25 14:40:03 EDT
html2ps-1.0-0.4.b5.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-05-25 20:01:47 EDT
html2ps-1.0-0.2.b5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.