[Secure-testing-team] Bug#884912: global: CVE-2017-17531 possible command injection
Raphael Hertzog
hertzog at debian.org
Thu Dec 21 09:45:53 UTC 2017
Package: global
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: important
Tags: security
Hi,
the following vulnerability was published for global.
CVE-2017-17531[0]:
| gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before
| launching the program specified by the BROWSER environment variable,
| which might allow remote attackers to conduct argument-injection
| attacks via a crafted URL.
This boils down to this part of the code:
https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/?hl=281:283#L281
snprintf(com, sizeof(com), "%s \"%s\"", browser, strbuf_value(URL));
system(com);
I'm not quite sure where the URL can come from, but assuming that someone
malicious can inject bad URL up to this code, then there's a posssibility of
command injection when the URL contains shell meta-characters (think «
http://foo/";command;" » or « http://foo$(command)/ »).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531
Please adjust the affected versions in the BTS as needed.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the Secure-testing-team
mailing list