[Secure-testing-team] Bug#542329: burn: Quotation marks in filenames aren't handled properly.

pweis at pweis.com pweis at pweis.com
Wed Aug 19 03:46:02 UTC 2009 

X-Loop
owner at bugs.debian.org: Resent-Date: Wed, 19 Aug 2009 03:45:02 +0000
Resent-Message-ID: <handler.542329.B.125065338117423 at bugs.debian.org>
Resent-Sender: owner at bugs.debian.org
X-Debian-PR-Message: report 542329
X-Debian-PR-Package: burn
X-Debian-PR-Keywords: security
X-Debian-PR-Source: burn
Received: via spool by submit at bugs.debian.org id=B.125065338117423
          (code B ref -1); Wed, 19 Aug 2009 03:45:02 +0000
Received: (at submit) by bugs.debian.org; 19 Aug 2009 03:43:01 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 45; hammy, 150; neutral, 110; spammy,
	1. spammytokens:0.995-1--quotation hammytokens:0.000-+--H*u:1.5.20,
	0.000-+--H*UA:1.5.20, 0.000-+--H*u:2009-06-14, 0.000-+--H*UA:2009-06-14,
	0.000-+--Severity
X-Spam-Status: No, score=-11.9 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE,
	MURPHY_DRUGS_REL8,UNPARSEABLE_RELAY,X_DEBBUGS_CC autolearn=ham
	version=3.2.3-bugs.debian.org_2005_01_02
Received: from arthur2.pweis.com ([87.106.5.233])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <pweis at pweis.com>)
	id 1Mdc4j-0004WL-8R
	for submit at bugs.debian.org; Wed, 19 Aug 2009 03:43:01 +0000
Received: from zaphod (authenticated)
	by s15342663.onlinehome-server.info with esmtps (Exim 4.63 #1 (Debian))
	id 1Mdc4h-0006IQ-7k
	for <submit at bugs.debian.org>; Wed, 19 Aug 2009 03:42:59 +0000
Received: from pweis by zaphod with local (Exim 4.69 #1 (Debian))
	id 1Mdc4f-00039s-00
	for <submit at bugs.debian.org>; Tue, 18 Aug 2009 23:42:57 -0400
Date: Tue, 18 Aug 2009 23:42:56 -0400
From: Philipp Weis <pweis at pweis.com>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Message-ID: <20090819034256.GA12021 at zaphod.pweis.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N"
Content-Disposition: inline
X-Reportbug-Version: 4.6
User-Agent: Mutt/1.5.20 (2009-06-14)
Delivered-To: submit at bugs.debian.org


--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: burn
Version: 0.4.4-1
Severity: normal
Tags: security

Hey there,

I just discovered that burn has trouble with quotation marks in file
names, and on a closer inspection it seems as if this actually has
security implications. I attached a tiny patch that fixes three of the
quotation problems, but there seem to be more issues like this in the
code, and I don't have the time right now to look closely at all of
them.

For a demonstration of the problem, create a valid ogg file and name
it

  " | date #".ogg

Then run burn -A -a *.ogg, and burn will happily print the current
date.

Philipp


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages burn depends on:
ii  cdrdao                      1:1.2.2-17   records CDs in Disk-At-Once (D=
AO)=20
ii  genisoimage                 9:1.1.9-1    Creates ISO-9660 CD-ROM filesy=
stem
ii  mpg321                      0.2.10.6     mpg123 clone that doesn't use =
floa
ii  python                      2.5.4-2      An interactive high-level obje=
ct-o
ii  python-eyed3                0.6.17-1     Python module for id3-tags man=
ipul
ii  python-pyao                 0.82-2.1     A Python interface to the Audi=
o Ou
ii  python-pymad                0.5.4-3.2+b1 Python wrapper to the MPEG Aud=
io D
ii  python-pyvorbis             1.4-2        Python interface to the Ogg Vo=
rbis
ii  python-support              1.0.3        automated rebuilding support f=
or P
ii  wodim                       9:1.1.9-1    command line CD/DVD writing to=
ol

burn recommends no packages.

burn suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: checksum mismatch burn file /usr/share/pyshared/burnlib/burn.py

--=20
Philipp Weis

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqLdMAACgkQzxf2HvbDMknPDgCgkBP0iGJzSmiYJIQgCiG4kHUN
YW0AnRee8Wcd2KmFcmpiapY5fmCzTRrH
=N8r8
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--

More information about the Secure-testing-team mailing list