Thanks for this. I'll upload a patch for the version in unstable right away.
Later, Mako <quote who="Alberto Garcia" date="Wed, Dec 14, 2016 at 02:49:44PM +0200"> > Package: most > Version: 5.0.0a-1 > Severity: grave > Tags: security patch > Justification: user security hole > > Hello, > > the most pager can automatically open files compressed with gzip, > bzip2 and (in Debian) LZMA. > > This is done using popen() and, in earlier releases of most, it was > vulnerable to a shell injection attack. > > most fixed this in v5.0.0 (released in 2007), but the Debian patch > that added LZMA support (bug #466574) remains vulnerable. > > It is trivial to generate a file with a certain name and content that, > when opened with most, runs arbitrary commands in the user's computer. > > most is also launched by other programs as a pager for text files > (example: an e-mail client that needs to open an attachment). If any > of those programs generates a temporary file name that can be set by > an attacker, then that can be used to break into the user's machine. > I don't have any example of such program, however. > > All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian > (and derivatives that include the LZMA patch) are vulnerable (older > versions are vulnerable in all distros as I explained earlier). > > https://security-tracker.debian.org/tracker/CVE-2016-1253 > > I'm attaching the debdiff with the patch. It simply replaces single > quotes with double quotes in the command passed to popen(). Double > quotes in the filename are escaped by most in order to prevent this > kind of attacks, but this offers no protection if the file name is > enclosed in single quotes. > > Regards, > > Berto > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages most depends on: > ii libc6 2.24-7 > ii libslang2 2.3.1-5 > > most recommends no packages. > > most suggests no packages. > > -- no debconf information > diff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog > --- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.000000000 +0300 > +++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.000000000 +0200 > @@ -1,3 +1,12 @@ > +most (5.0.0a-2.6) unstable; urgency=high > + > + * Non-maintainer upload. > + * lzma-support.patch: > + - Fix CVE-2016-1253 (shell injection attack when opening > + lzma-compressed files). > + > + -- Alberto Garcia <be...@igalia.com> Wed, 14 Dec 2016 14:31:29 +0200 > + > most (5.0.0a-2.5) unstable; urgency=medium > > * Non-maintainer upload. > diff -Nru most-5.0.0a/debian/patches/lzma-support.patch > most-5.0.0a/debian/patches/lzma-support.patch > --- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 > 01:50:23.000000000 +0300 > +++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 > 14:25:03.000000000 +0200 > @@ -1,3 +1,5 @@ > +Index: most-5.0.0a/src/file.c > +=================================================================== > --- most-5.0.0a.orig/src/file.c > +++ most-5.0.0a/src/file.c > @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd, > @@ -32,13 +34,15 @@ > > if (cmd != NULL) > { > +Index: most-5.0.0a/src/file.h > +=================================================================== > --- most-5.0.0a.orig/src/file.h > +++ most-5.0.0a/src/file.h > @@ -22,6 +22,7 @@ > #define MOST_MAX_FILES 4096 > #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" > #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" > -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" > ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" > > extern void most_reread_file (void); > extern void most_read_to_line (int); -- Benjamin Mako Hill http://mako.cc/ Creativity can be a social contribution, but only in so far as society is free to use the results. --GNU Manifesto
signature.asc
Description: PGP signature
