[Secure-testing-team] Bug#801263: [lsyncd] direct mode allows injecting unauthorized filesystem operations

[Marcin Szewczyk]

Package: lsyncd
Version: 2.1.5-2
Severity: normal
Tags: patch security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

In the default-direct.lua file in the "event.etype == 'Move'" branch
instead of using a direct fork/exec a shell in spawned. Its arguments
aren't quoted so one can inject additional parameters using whitespace
characters.

File paths passed to the lua script seem to be absolute, so at least
other branches doing direct exec but not using '--' are probably safe.

Examples can be tested after entering the source directory.

Example 1:
$ touch ' '
$ mv ' ' sthelse
Causes rm -rf on target (the whole directory)

Example 2:
$ touch -- ' -t tmp'
$ mv ' -t tmp' ' sthelse'
Moves the target directory and its contents to /tmp. lsyncd's cwd is /.

I attach a patch, possibly correct -- I don't know lua.

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.16.0-4-amd64

Debian Release: 8.2
  500 stable          security.debian.org 
  500 stable          ftp.pl.debian.org 
   50 testing         security.debian.org 
   50 testing         ftp.pl.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




-- 
Marcin Szewczyk                       http://wodny.org
mailto:Marcin.Szewczyk at wodny.borg  <- remove b / usuń b
xmpp:wodny at ubuntu.pl                  xmpp:wodny at jabster.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: default-direct-quoted.patch
Type: text/x-diff
Size: 477 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20151007/658d73e4/attachment.patch>