>From upstream. ---------- Forwarded message ---------- From: Matthias Wandel <[EMAIL PROTECTED]> Date: Mon, Oct 27, 2008 at 4:13 PM Subject: Re: Bug#503645: jhead: CVE-2008-4640, CVE-2008-4641 command injection via filename and insecure file handling To: Ludovic Rousseau <[EMAIL PROTECTED]>
Ah, the use of "exec" had been suggested before, but I didn't see a good reason for it. I suppose if its used for something that processes files from random users on a server, this could potentially be exploited. I should make that change, though I won't have time for it right away. Though if somebody had a patch, that would be quicker to integrate. The unsafe temp file creation I won't worry about for the moment. Matthias ----- Original Message ----- From: "Ludovic Rousseau" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 27, 2008 9:52 AM Subject: Re: Bug#503645: jhead: CVE-2008-4640, CVE-2008-4641 command injection via filename and insecure file handling > On Mon, Oct 27, 2008 at 1:06 PM, Matthias Wandel <[EMAIL PROTECTED]> wrote: >> >> So what is the security vulnerability? >> >> You can use it to delete files, but why not just use "rm"? > > If I understand correctly we have two problems (from [1]) > 2 - unsafe temp file creation > 4 - shell escapes > > I think "unsafe temp file creation" is referring to the use of > unlink() at line 329 of jhead.c. I don't think it is a grave problem. > > "shell escapes" is more serious since you use system() at line 339 of > jhead.c without escaping any special characters a file name could > contain. > For example if you have a file named "foo.jpg ; rm -rf ~" you could > make bad things without noticing. > Yes, you should be stupid to use such a file name. > >> Unless of course you run it as setuid root, but why would you go out ot your >> way to do that? > > A solution would be to use one of the exec(3) system calls instead of > system(3). > > Bye > > [1] http://www.openwall.com/lists/oss-security/2008/10/16/3 > > -- > Dr. Ludovic Rousseau > -- Dr. Ludovic Rousseau -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
