[Secure-testing-team] Bug#848132: most is vulnerable to a shell injection attack using LZMA-compressed files

Alberto Garcia berto at igalia.com
Wed Dec 14 12:49:44 UTC 2016 

Package: most
Version: 5.0.0a-1
Severity: grave
Tags: security patch
Justification: user security hole

Hello,

the most pager can automatically open files compressed with gzip,
bzip2 and (in Debian) LZMA.

This is done using popen() and, in earlier releases of most, it was
vulnerable to a shell injection attack.

most fixed this in v5.0.0 (released in 2007), but the Debian patch
that added LZMA support (bug #466574) remains vulnerable.

It is trivial to generate a file with a certain name and content that,
when opened with most, runs arbitrary commands in the user's computer.

most is also launched by other programs as a pager for text files
(example: an e-mail client that needs to open an attachment). If any
of those programs generates a temporary file name that can be set by
an attacker, then that can be used to break into the user's machine.
I don't have any example of such program, however.

All versions of most >= 5.0.0a-1 including 5.0.0a-2.5 in Debian
(and derivatives that include the LZMA patch) are vulnerable (older
versions are vulnerable in all distros as I explained earlier).

   https://security-tracker.debian.org/tracker/CVE-2016-1253

I'm attaching the debdiff with the patch. It simply replaces single
quotes with double quotes in the command passed to popen(). Double
quotes in the filename are escaped by most in order to prevent this
kind of attacks, but this offers no protection if the file name is
enclosed in single quotes.

Regards,

Berto

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages most depends on:
ii  libc6      2.24-7
ii  libslang2  2.3.1-5

most recommends no packages.

most suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: most.debdiff
Type: text/x-diff
Size: 1622 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20161214/3389b07d/attachment.diff>

More information about the Secure-testing-team mailing list