Your message dated Thu, 15 Dec 2016 03:06:47 +0000 with message-id <e1chmnb-000arv...@fasolo.debian.org> and subject line Bug#848132: fixed in most 5.0.0a-3 has caused the Debian Bug report #848132, regarding most: CVE-2016-1253: shell injection attack using LZMA-compressed files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 848132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848132 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: most Version: 5.0.0a-1 Severity: grave Tags: security patch Justification: user security hole Hello, the most pager can automatically open files compressed with gzip, bzip2 and (in Debian) LZMA. This is done using popen() and, in earlier releases of most, it was vulnerable to a shell injection attack. most fixed this in v5.0.0 (released in 2007), but the Debian patch that added LZMA support (bug #466574) remains vulnerable. It is trivial to generate a file with a certain name and content that, when opened with most, runs arbitrary commands in the user's computer. most is also launched by other programs as a pager for text files (example: an e-mail client that needs to open an attachment). If any of those programs generates a temporary file name that can be set by an attacker, then that can be used to break into the user's machine. I don't have any example of such program, however. All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian (and derivatives that include the LZMA patch) are vulnerable (older versions are vulnerable in all distros as I explained earlier). https://security-tracker.debian.org/tracker/CVE-2016-1253 I'm attaching the debdiff with the patch. It simply replaces single quotes with double quotes in the command passed to popen(). Double quotes in the filename are escaped by most in order to prevent this kind of attacks, but this offers no protection if the file name is enclosed in single quotes. Regards, Berto -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages most depends on: ii libc6 2.24-7 ii libslang2 2.3.1-5 most recommends no packages. most suggests no packages. -- no debconf informationdiff -Nru most-5.0.0a/debian/changelog most-5.0.0a/debian/changelog --- most-5.0.0a/debian/changelog 2016-08-05 02:55:52.000000000 +0300 +++ most-5.0.0a/debian/changelog 2016-12-14 14:31:29.000000000 +0200 @@ -1,3 +1,12 @@ +most (5.0.0a-2.6) unstable; urgency=high + + * Non-maintainer upload. + * lzma-support.patch: + - Fix CVE-2016-1253 (shell injection attack when opening + lzma-compressed files). + + -- Alberto Garcia <be...@igalia.com> Wed, 14 Dec 2016 14:31:29 +0200 + most (5.0.0a-2.5) unstable; urgency=medium * Non-maintainer upload. diff -Nru most-5.0.0a/debian/patches/lzma-support.patch most-5.0.0a/debian/patches/lzma-support.patch --- most-5.0.0a/debian/patches/lzma-support.patch 2016-07-22 01:50:23.000000000 +0300 +++ most-5.0.0a/debian/patches/lzma-support.patch 2016-12-14 14:25:03.000000000 +0200 @@ -1,3 +1,5 @@ +Index: most-5.0.0a/src/file.c +=================================================================== --- most-5.0.0a.orig/src/file.c +++ most-5.0.0a/src/file.c @@ -77,7 +77,7 @@ static int create_gunzip_cmd (char *cmd, @@ -32,13 +34,15 @@ if (cmd != NULL) { +Index: most-5.0.0a/src/file.h +=================================================================== --- most-5.0.0a.orig/src/file.h +++ most-5.0.0a/src/file.h @@ -22,6 +22,7 @@ #define MOST_MAX_FILES 4096 #define MOST_GUNZIP_POPEN_FORMAT "gzip -dc \"%s\"" #define MOST_BZIP2_POPEN_FORMAT "bzip2 -dc \"%s\"" -+#define MOST_LZMA_POPEN_FORMAT "lzma -dc '%s'" ++#define MOST_LZMA_POPEN_FORMAT "lzma -dc \"%s\"" extern void most_reread_file (void); extern void most_read_to_line (int);
--- End Message ---
--- Begin Message ---Source: most Source-Version: 5.0.0a-3 We believe that the bug you reported is fixed in the latest version of most, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 848...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Mako Hill <m...@debian.org> (supplier of updated most package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 14 Dec 2016 18:08:56 -0800 Source: most Binary: most Architecture: source amd64 Version: 5.0.0a-3 Distribution: unstable Urgency: high Maintainer: Benjamin Mako Hill <m...@debian.org> Changed-By: Benjamin Mako Hill <m...@debian.org> Description: most - Pager program similar to more and less Closes: 846465 848132 Changes: most (5.0.0a-3) unstable; urgency=high . * lzma-support.patch: - Fix CVE-2016-1253: shell injection attack when opening lzma-compressed files (Closes: #848132) * Added support for xv compressed file (Closes: #846465) Checksums-Sha1: 8dc27a12d186370ecfdcd7e5e68a3d41db2de05d 1701 most_5.0.0a-3.dsc 60ab7dd1cc6242b917a1ae309c412cdd8329d4e8 9612 most_5.0.0a-3.debian.tar.xz a6a2f6ebcf03667361ad0d8022b21527011a3321 64402 most-dbgsym_5.0.0a-3_amd64.deb a2a6de3c3fb941b573968bbc3e36607c370b322e 4766 most_5.0.0a-3_amd64.buildinfo 88a2ead40c044eab40555790cd731e6a8df6bd20 48038 most_5.0.0a-3_amd64.deb Checksums-Sha256: 24e79ffb7651af957df34b8c8137a0f76472946d8830d0e1f4e33b854546f40a 1701 most_5.0.0a-3.dsc 3a8962851d2fcfe85f6bdf3655b8c43a6b3c9a2e6f2d7d60c7483317bdd6c2e6 9612 most_5.0.0a-3.debian.tar.xz 739574ef594f9b2dd804e5f117f54d6acd530bc481196275c8cdd5259ac9aa3e 64402 most-dbgsym_5.0.0a-3_amd64.deb c11b3796c172563f13e3905565b06eb0a98ffccd0467c41d5c45494c07d02d9a 4766 most_5.0.0a-3_amd64.buildinfo fd3a1bc01f9fe9f93888574c8a07fdbd5827fdf43ed548894dd5488d09b6b6f0 48038 most_5.0.0a-3_amd64.deb Files: 45fee5eafb0413dd5590dec4d77a2da1 1701 text optional most_5.0.0a-3.dsc eb35d56c71accb0c8e951ce5fd41489f 9612 text optional most_5.0.0a-3.debian.tar.xz e04291a4e892de63ce6824ec1b2e59c2 64402 debug extra most-dbgsym_5.0.0a-3_amd64.deb a78832e4462243bdce429eafdbacfe5b 4766 text optional most_5.0.0a-3_amd64.buildinfo 5f2117b62c92d4facda384a7edb675b6 48038 text optional most_5.0.0a-3_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE6aJxwHGWSJGqV2Y9nqM0FPWFL04FAlhSA10QHG1ha29AZGVi aWFuLm9yZwAKCRCeozQU9YUvTjAND/920vMpAYr7ydGm3IgHLJSHQXllw7ttCcR2 4AH8Hh6sCY7hjk4BaW+te3M9UgG0xdAkQoL/tXqFLI5ENg37vWDLrD6aZmMaooJX virwyxbYVcqCmaN3uo+TWuAgwml/Eg6nXVvaITXMDb6E8w+YXpO48K/m+xvSEkQL 0IhLazhNIfWcw27fN4VjfJ5CjDIX8Y7fGQ2Jp1AYAsSjsWimR6DpgPZP9l3MjZqN mcERg4/ffb1Z59O3mMGPPSFL8CTcCSrp8TRajxN8lLkxXzi9Zm6Gx5zA2VHZPYfp 1KOfikjcrEqE8DxW8qFJbiyhZaO7ayJYXsw/6YTonVNQo7JlCA1hwf8+K1P1E7mX E47UduPRGhbYrUB+bAJeZ9k0aYuorHbwtRj0tRpNK2fYotDQ+VPD5C5CqTcL9NSc DjFSZhuTUb4iGpTDqrOxICVOsQhp+YS3i4jqJ078i+sWyC4qXKBeaQDLdEHpCHGY vBZsmOAFueESVKkugl5rGo6zSPyfN9aQOJtRR/mhbDM8orUF76gLXQm64fJUOAf4 Hass/vWOcRZ2afiA0CbugC3UBkJoNqv0+GpKBVdOI4k2fp1832ReukmZYBmYTR9m 3yXNvpq7a+Z2FbvSIHBh2WcCwniL4gg3+7btk9QgG5Q6ycnLlIWQNCxuTdB9ystM u27xJWwNlQ== =r/jh -----END PGP SIGNATURE-----
--- End Message ---
