Package: most
Version: 5.0.0a-1
Severity: grave
Tags: security patch
Justification: user security hole
Hello,
the most pager can automatically open files compressed with gzip,
bzip2 and (in Debian) LZMA.
This is done using popen() and, in earlier releases of most, it was
vulnerable to a shell injection attack.
most fixed this in v5.0.0 (released in 2007), but the Debian patch
that added LZMA support (bug #466574) remains vulnerable.
It is trivial to generate a file with a certain name and content that,
when opened with most, runs arbitrary commands in the user's computer.
most is also launched by other programs as a pager for text files
(example: an e-mail client that needs to open an attachment). If any
of those programs generates a temporary file name that can be set by
an attacker, then that can be used to break into the user's machine.
I don't have any example of such program, however.
All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
(and derivatives that include the LZMA patch) are vulnerable (older
versions are vulnerable in all distros as I explained earlier).
https://security-tracker.debian.org/tracker/CVE-2016-1253
I'm attaching the debdiff with the patch. It simply replaces single
quotes with double quotes in the command passed to popen(). Double
quotes in the filename are escaped by most in order to prevent this
kind of attacks, but this offers no protection if the file name is
enclosed in single quotes.
Regards,
Berto
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages most depends on:
ii libc6 2.24-7
ii libslang2 2.3.1-5
most recommends no packages.
most suggests no packages.
-- no debconf information
diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog
--- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.000000000 +0300
+++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.000000000 +0200
@@ -1,3 +1,12 @@
+most (5.0.0a-2.6) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * lzma-support.patch:
+ - Fix CVE-2016-1253 (shell injection attack when opening
+ lzma-compressed files).
+
+ -- Alberto Garcia <be...@igalia.com> Wed, 14 Dec 2016 14:31:29 +0200
+
most (5.0.0a-2.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch
--- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.000000000 +0300
+++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.000000000 +0200
@@ -1,3 +1,5 @@
+Index: most-5.0.0a/src/file.c
+===================================================================
--- most-5.0.0a.orig/src/file.c
+++ most-5.0.0a/src/file.c
@@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd,
@@ -32,13 +34,15 @@
if (cmd != NULL)
{
+Index: most-5.0.0a/src/file.h
+===================================================================
--- most-5.0.0a.orig/src/file.h
+++ most-5.0.0a/src/file.h
@@ -22,6 +22,7 @@
#define MOST_MAX_FILES 4096
#define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\""
#define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\""
-+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'"
++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\""
extern void most_reread_file (void);
extern void most_read_to_line (int);
