Package: manpages Version: 3.71-1 Severity: normal Hello,
man 5 core gingerly mentions piping core dumps to a program and using % specifiers as arguments. It does not, however, mention their escaping, or lack thereof. I am not terribly bothered by scenarios like this here: http://www.jakoblell.com/blog/2014/05/07/hacking-contest-hiding-stuff-from-the-terminal/ I am instead worried by something apparently harmless like this: echo "| /usr/local/sbin/handle_core %e %t" with a script like: DATE_TAG=$(date --date=@$2 +%Y%m%d-%H%M%S) gzip > "/var/debug/${DATE_TAG}-${1}.core" %e, %E and %h look harmful to me in that way, with a risk of opening user-exploitable vulnerabilities: ulimit -c 999999 cp /bin/sleep "; /foo/bar" ./"; /foo/bar" 100 ^\ Since the kernel doesn't run the script via the shell, it looks like using only one of them can be made safe when using it at the end of the command: echo "| /usr/local/sbin/handle_core %t %e" with a script like this: TIMESTAMP=$1 shift PROGRAM="$*" DATE_TAG=$(date --date=@$TIMESTAMP +%Y%m%d-%H%M%S) gzip > "/var/debug/${DATE_TAG}-${PROGRAM}.core" Systems are not vulnerable by default, but I think they can be made user exploitable by reasonably competent people acting in good faith via this, so I think it should be mentioned. Enrico -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash manpages depends on no packages. manpages recommends no packages. Versions of packages manpages suggests: ii konqueror [man-browser] 4:4.14.1-1 ii man-db [man-browser] 2.7.0.2-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
