[Secure-testing-team] Bug#706252: autojump: CVE-2013-2012: autojump profile will load random stuff from a directory called custom_install
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 27 07:54:50 UTC 2013
Package: autojump
Version: 21.5.1-1
Severity: grave
Tags: security
Justification: user security hole
Hi Tanguy
autojump in example has /usr/share/autojump/autojump.sh allowing
loading random stuff from a directory called custom_install in the
current working directory:
,---- [ /usr/share/autojump/autojump.sh ]
| # source autojump on BASH or ZSH depending on the shell
|
| shell=`echo ${SHELL} | awk -F/ '{ print $NF }'`
|
| # check local install
| if [ -s ~/.autojump/etc/profile.d/autojump.${shell} ]; then
| source ~/.autojump/etc/profile.d/autojump.${shell}
|
| # check global install
| elif [ -s /etc/profile.d/autojump.${shell} ]; then
| source /etc/profile.d/autojump.${shell}
|
| # check custom install locations (modified by Homebrew or using --destdir option)
| elif [ -s custom_install/autojump.${shell} ]; then
| source custom_install/autojump.${shell}
|
| # check Debian install
| elif [ -s /usr/share/autojump/autojump.${shell} ]; then
| source /usr/share/autojump/autojump.${shell}
| fi
`----
The version in wheezy/unstable does not seem vulnerable to these
issues, as autojump.sh is patched as:
,---- [ /usr/share/autojump/autojump.sh ]
| [...]
| if [ "$BASH_VERSION" ] && [ -n "$PS1" ] && echo $SHELLOPTS | grep -v posix >>/dev/null; then
| . /usr/share/autojump/autojump.bash
| elif [ "$ZSH_VERSION" ] && [ -n "$PS1" ]; then
| . /usr/share/autojump/autojump.zsh
| fi
`----
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2012
http://security-tracker.debian.org/tracker/CVE-2013-2012
[1] http://marc.info/?s=CVE-2013-2012&l=oss-security
Regards,
Salvatore
More information about the Secure-testing-team
mailing list