Your message dated Tue, 07 Nov 2006 16:23:59 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#397297: fixed in obexpushd 0.4+svn10-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: obexpushd
Version: 0.4-3
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
I forward this to Debian to take necessary steps.
I also attach the patch that fixes this issue. Note that this is exploitable
with any mobile device by just naming a file to exploit this like:
;some command
or
`some command`
Steps taken to prevent this:
Use
'%s'
instead of only
%s
and replace all ' with _
The option to use scriptable output is not used by default.
This should take care of all such attacks. If you have further suggestion or
still see problems, please contact me.
Thanks
HS
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.1
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
diff -Nurp obexpushd-0.4/src/obexpushd.c obexpushd-0.4_fixed/src/obexpushd.c
--- obexpushd-0.4/src/obexpushd.c 2006-10-25 10:30:30.000000000 +0200
+++ obexpushd-0.4_fixed/src/obexpushd.c 2006-11-06 12:38:28.343845590 +0100
@@ -263,37 +263,71 @@ int create_file (obex_t* handle, int mod
}
}
+int put_close (obex_t* handle) {
+ struct file_data_t* data = OBEX_GetUserData(handle);
+ if (script) {
+ if (pclose(data->out) < 0)
+ return -errno;
+ } else {
+ if (fclose(data->out) == EOF)
+ return -errno;
+ }
+ return 0;
+}
+
int put_open (obex_t* handle) {
+ int err = 0;
struct file_data_t* data = OBEX_GetUserData(handle);
+
+ if (data->out)
+ err = put_close(handle);
+ if (err < 0)
+ return err;
if (script && strlen(script)) {
uint8_t* name = utf16to8(data->name);
+ char* type = (type? strdup(data->type): NULL);
char* cmd;
if (name) {
+ size_t i;
size_t size = strlen(script)+1;
- size += 1+utf8len(name);
- if (data->type)
- size += 1+strlen(data->type);
+ size += 3+utf8len(name);
+ if (type)
+ size += 3+strlen(type);
cmd = malloc(size);
- if (!cmd)
+ if (!cmd) {
+ free(name);
+ free(type);
return -ENOMEM;
+ }
memset(cmd,0,size);
- sprintf(cmd, "%s %s %s",script, name, (data->type? data->type: ""));
+
+ /* clean name and type against attacks:
+ * replace ' with _
+ */
+ for (i=0; i < utf8len(name); ++i)
+ if (name[i] == '\'')
+ name[i] = '_';
+ if (!type) {
+ (void)snprintf(cmd, size, "%s '%s'", script, (char*)name);
+ } else {
+ for (i=0; i < strlen(type); ++i)
+ if (type[i] == '\'')
+ type[i] = '_';
+ (void)snprintf(cmd, size, "%s '%s' '%s'", script, (char*)name,type);
+ }
} else {
cmd = strdup(script);
}
errno = 0;
data->out = popen(cmd,"w");
+ if (!data->out)
+ err = (errno? -errno: -ENOMEM);
free(cmd);
- if (!data->out) {
- if (errno == 0)
- return -ENOMEM;
- else
- return -errno;
- }
- return 0;
+ free(name);
+ free(type);
} else {
int status = create_file(handle,O_WRONLY);
@@ -311,9 +345,8 @@ int put_open (obex_t* handle) {
if (data->type && strlen(data->type))
if (debug) printf("%u: file type: %s\n",data->id,data->type);
if (debug) printf("%u: total expected size: %zu byte(s)\n",data->id,data->length);
-
- return 0;
}
+ return err;
}
int put_write (obex_t* handle, const uint8_t* buf, int len) {
@@ -330,18 +363,6 @@ int put_write (obex_t* handle, const uin
return 0;
}
-int put_close (obex_t* handle) {
- struct file_data_t* data = OBEX_GetUserData(handle);
- if (script) {
- if (pclose(data->out) < 0)
- return -errno;
- } else {
- if (fclose(data->out) == EOF)
- return -errno;
- }
- return 0;
-}
-
void obex_object_headers (obex_t* handle, obex_object_t* obj) {
uint8_t id = 0;
obex_headerdata_t value;
--- End Message ---
--- Begin Message ---
Source: obexpushd
Source-Version: 0.4+svn10-1
We believe that the bug you reported is fixed in the latest version of
obexpushd, which is due to be installed in the Debian FTP archive:
obexpushd_0.4+svn10-1.diff.gz
to pool/main/o/obexpushd/obexpushd_0.4+svn10-1.diff.gz
obexpushd_0.4+svn10-1.dsc
to pool/main/o/obexpushd/obexpushd_0.4+svn10-1.dsc
obexpushd_0.4+svn10-1_i386.deb
to pool/main/o/obexpushd/obexpushd_0.4+svn10-1_i386.deb
obexpushd_0.4+svn10.orig.tar.gz
to pool/main/o/obexpushd/obexpushd_0.4+svn10.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eugeniy Meshcheryakov <[EMAIL PROTECTED]> (supplier of updated obexpushd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Nov 2006 23:12:15 +0100
Source: obexpushd
Binary: obexpushd
Architecture: source i386
Version: 0.4+svn10-1
Distribution: unstable
Urgency: low
Maintainer: Eugeniy Meshcheryakov <[EMAIL PROTECTED]>
Changed-By: Eugeniy Meshcheryakov <[EMAIL PROTECTED]>
Description:
obexpushd - program for receiving files via Bluetooth or IRDA
Closes: 397297
Changes:
obexpushd (0.4+svn10-1) unstable; urgency=low
.
* New upstream SVN snapshot
- Fixed arbitrary command execution vulnerability (closes: #397297)
Files:
b2acf6083a7f154bb5fbe5bb04b112a7 639 comm optional obexpushd_0.4+svn10-1.dsc
0811e1ef852e40a8b9061ce880241878 21822 comm optional
obexpushd_0.4+svn10.orig.tar.gz
d250982d6c30c617018619ee6e5384db 2400 comm optional
obexpushd_0.4+svn10-1.diff.gz
d6b19eef26a4a95ce6b50e6328876353 17646 comm optional
obexpushd_0.4+svn10-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFUQZxKaC6+zmozOIRAqgXAJ4nGzCDkSLZM1sSlwVjdV2ZRfxpaACgkaqr
WnEpHYWu+LEQ7QzL4cSteNU=
=y+1n
-----END PGP SIGNATURE-----
--- End Message ---
