Package: groff
Version: 1.22.4-2
Severity: grave
Tags: security
Justification: user security hole
According to the gropdf(1) man page:
gropdf [-dels] [-F dir] [-I dir] [-p paper-size] [-u [cmapfile]]
[-y foundry] [file ...]
but providing a "filename" with a pipe character can yield an
arbitrary command execution:
$ touch foo
$ ls foo
foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory
$
The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". The perlop(1) man page says:
Since the null filehandle uses the two argument form of "open" in
perlfunc it interprets special characters, so if you have a script like
this:
while (<>) {
print;
}
and call it with "perl dangerous.pl 'rm -rfv *|'", it actually opens a
pipe, executes the "rm" command and reads "rm"'s output from that pipe.
BTW, I fear that's not the only Perl script that is affected by such
a bug.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages groff depends on:
ii groff-base 1.22.4-2
ii libc6 2.28-5
ii libgcc1 1:8.2.0-14
ii libice6 2:1.0.9-2
ii libsm6 2:1.2.2-1+b3
ii libstdc++6 8.2.0-14
ii libx11-6 2:1.6.7-1
ii libxaw7 2:1.0.13-1+b2
ii libxmu6 2:1.1.2-2
ii libxt6 1:1.1.5-1
Versions of packages groff recommends:
ii ghostscript 9.26~dfsg-0+deb9u2
ii imagemagick 8:6.9.10.23+dfsg-2
ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2
ii libpaper1 1.1.26
ii netpbm 2:10.0-15.3+b2
ii perl 5.28.1-3
ii psutils 1.17.dfsg-4
groff suggests no packages.
-- no debconf information
