Adding Security keyword, please drop if not suitable here.

(In reply to comment #0)

Hello Zbigniew,

  thank you for your report && patch proposal.

> Created attachment 733886 [details]
> patch to remove the offending part
> 
> Description of problem:
> /etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL
> or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp
> or another publicly writable directory, and has $SHELL unset or set to
> something different than zsh or bash, e.g. dash, an attacker might create
> this file there.

Just out of curiosity, have you tried to reach autojump upstream with the report above? If so, what was the reply from them? 

If not, can we (in your name) contact them?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Version-Release number of selected component (if applicable):
> I think that the script hasn't changed recently, so Fedora 17 to rawhide is
> probably affected.

I haven't tried to contact upstream, I took the lazy way of just filing in bugzilla. I you can forward the bug and patch upstream, by all means please do. Thank you.

Zbigniew,

Thanks for the report. I've fixed the bug upstream in this commit:

https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec

The line shouldn't be removed due to other package managers depending on it for installation. If the global and local installations of autojump are not found, it now checks a random root directory.

If a user has write privileges to /, then all bets are off but hopefully this change is sufficient.

Created attachment 739596 [details]
Check "/destdir_${RANDOM}_install" location instead.

William, are you aware of $RANDOM special variable being changed
upon each access (that's what makes it special, at least in bash and zsh)?

If yes, then I am just not getting your patch, but that's ok :-)

Ok, point of the code taken but it seems to be adding obscurity.

Wouldn't it be more decent to leave a special mark in form of a comment
(like "### CUSTOMIZATION HERE ###" in the place to be conditionally
modified in autojump.sh and then to substitute it with precooked "elif"
block if customization required?

You can certainly do single line -> multiple lines mapping using sed:

$ echo "a" | sed 's|a|a\nb|' 
a
b

Created attachment 739627 [details]
Uncomment else-if block only when --destdir is used during installation.

Jan,

Stop being so sensible. :)

- William

A security flaw was found in the way autojump, a tool for faster filesystem navigation from the command line, used to honour content of custom_install directory when global and local autojump installations were not found and $SHELL variable was unset or set to different value than bash or zsh. If an unsuspecting autojump user was tricked into running autojump script from the directory a local attacker has write access to, this flaw could be used for arbitrary (Python) code execution with the privileges of the user running the autojump binary / script.

Relevant (final) upstream patches are as follows:
[1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
[2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a

This issue affects the versions of the autojump package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue did NOT affect the versions of the autojump package, as shipped with Fedora EPEL 5 and 6 (vulnerable code part is not present in those versions yet).

Created autojump tracking bugs for this issue

Affects: fedora-all [bug 956792]

CVE Request:
  http://www.openwall.com/lists/oss-security/2013/04/25/13

The CVE identifier of CVE-2013-2012 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/25/14

FYI this was fixed upstream:
https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a