Bug 950777 (CVE-2013-2012) - CVE-2013-2012 autojump: autojump profile will load random stuff from a directory called custom_install
Summary: CVE-2013-2012 autojump: autojump profile will load random stuff from a direct...
Keywords:
Status: NEW
Alias: CVE-2013-2012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 956792
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-10 20:55 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2019-09-29 13:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
patch to remove the offending part (524 bytes, patch)
2013-04-10 20:55 UTC, Zbigniew Jędrzejewski-Szmek
no flags Details | Diff
Check "/destdir_${RANDOM}_install" location instead. (1.74 KB, patch)
2013-04-24 20:46 UTC, William Ting
no flags Details | Diff
Uncomment else-if block only when --destdir is used during installation. (1.77 KB, patch)
2013-04-25 00:07 UTC, William Ting
no flags Details | Diff

Description Zbigniew Jędrzejewski-Szmek 2013-04-10 20:55:56 UTC
Created attachment 733886 [details]
patch to remove the offending part

Description of problem:
/etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL
or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp or another publicly writable directory, and has $SHELL unset or set to something different than zsh or bash, e.g. dash, an attacker might create this file there.

Version-Release number of selected component (if applicable):
I think that the script hasn't changed recently, so Fedora 17 to rawhide is probably affected.

Comment 1 Jan Pokorný [poki] 2013-04-23 20:53:10 UTC
Adding Security keyword, please drop if not suitable here.

Comment 2 Jan Lieskovsky 2013-04-24 13:41:03 UTC
(In reply to comment #0)

Hello Zbigniew,

  thank you for your report && patch proposal.

> Created attachment 733886 [details]
> patch to remove the offending part
> 
> Description of problem:
> /etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL
> or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp
> or another publicly writable directory, and has $SHELL unset or set to
> something different than zsh or bash, e.g. dash, an attacker might create
> this file there.

Just out of curiosity, have you tried to reach autojump upstream with the report above? If so, what was the reply from them? 

If not, can we (in your name) contact them?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Version-Release number of selected component (if applicable):
> I think that the script hasn't changed recently, so Fedora 17 to rawhide is
> probably affected.

Comment 3 Zbigniew Jędrzejewski-Szmek 2013-04-24 14:17:59 UTC
I haven't tried to contact upstream, I took the lazy way of just filing in bugzilla. I you can forward the bug and patch upstream, by all means please do. Thank you.

Comment 4 William Ting 2013-04-24 20:45:01 UTC
Zbigniew,

Thanks for the report. I've fixed the bug upstream in this commit:

https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec

The line shouldn't be removed due to other package managers depending on it for installation. If the global and local installations of autojump are not found, it now checks a random root directory.

If a user has write privileges to /, then all bets are off but hopefully this change is sufficient.

Comment 5 William Ting 2013-04-24 20:46:16 UTC
Created attachment 739596 [details]
Check "/destdir_${RANDOM}_install" location instead.

Comment 6 Jan Pokorný [poki] 2013-04-24 20:55:45 UTC
William, are you aware of $RANDOM special variable being changed
upon each access (that's what makes it special, at least in bash and zsh)?

If yes, then I am just not getting your patch, but that's ok :-)

Comment 7 Jan Pokorný [poki] 2013-04-24 21:10:47 UTC
Ok, point of the code taken but it seems to be adding obscurity.

Wouldn't it be more decent to leave a special mark in form of a comment
(like "### CUSTOMIZATION HERE ###" in the place to be conditionally
modified in autojump.sh and then to substitute it with precooked "elif"
block if customization required?

You can certainly do single line -> multiple lines mapping using sed:

$ echo "a" | sed 's|a|a\nb|' 
a
b

Comment 8 William Ting 2013-04-25 00:07:35 UTC
Created attachment 739627 [details]
Uncomment else-if block only when --destdir is used during installation.

Jan,

Stop being so sensible. :)

- William

Comment 9 Jan Lieskovsky 2013-04-25 15:52:59 UTC
A security flaw was found in the way autojump, a tool for faster filesystem navigation from the command line, used to honour content of custom_install directory when global and local autojump installations were not found and $SHELL variable was unset or set to different value than bash or zsh. If an unsuspecting autojump user was tricked into running autojump script from the directory a local attacker has write access to, this flaw could be used for arbitrary (Python) code execution with the privileges of the user running the autojump binary / script.

Relevant (final) upstream patches are as follows:
[1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
[2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a

Comment 10 Jan Lieskovsky 2013-04-25 16:06:01 UTC
This issue affects the versions of the autojump package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue did NOT affect the versions of the autojump package, as shipped with Fedora EPEL 5 and 6 (vulnerable code part is not present in those versions yet).

Comment 11 Jan Lieskovsky 2013-04-25 16:10:33 UTC
Created autojump tracking bugs for this issue

Affects: fedora-all [bug 956792]

Comment 12 Jan Lieskovsky 2013-04-25 16:25:16 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/04/25/13

Comment 13 Jan Lieskovsky 2013-04-26 07:49:07 UTC
The CVE identifier of CVE-2013-2012 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/25/14

Comment 14 William Ting 2014-02-05 22:49:47 UTC
FYI this was fixed upstream:
https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a


Note You need to log in before you can comment on or make changes to this bug.