Debian Bug report logs - #338312
osh: Environment Variable Input Validation Bug

version graph

Package: osh; Maintainer for osh is (unknown);

Reported by: Charles Stevenson <core@bokeoa.com>

Date: Wed, 9 Nov 2005 12:48:05 UTC

Severity: critical

Tags: security

Found in version osh/1.7-14

Fixed in version osh/1.7-15

Done: Oohara Yuuma <oohara@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Charles Stevenson <core@bokeoa.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Charles Stevenson <core@bokeoa.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: osh: Environment Variable Input Validation Bug
Date: Wed, 09 Nov 2005 04:42:08 -0800
Package: osh
Version: 1.7-14
Severity: critical
Tags: security
Justification: root security hole


Due to a bug in the environment variable substitution code it is
possible to inject environment variables such as LD_PRELOAD and gain a
root shell.

Fully-functional local root exploit here:

http://pulltheplug.org/users/core/files/x_osh3.sh

Kind Regards,
Charles Stevenson

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-corezion
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages osh depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libncurses5                   5.4-9      Shared libraries for terminal hand
ii  logrotate                     3.7.1-2    Log rotation utility

osh recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Oohara Yuuma <oohara@libra.interq.or.jp>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #10 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Oohara Yuuma <oohara@libra.interq.or.jp>
To: 338312@bugs.debian.org
Cc: oohara@libra.interq.or.jp
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Wed, 09 Nov 2005 23:36:53 +0900 (JST)
[Message part 1 (text/plain, inline)]
patch attached

-- 
Oohara Yuuma <oohara@libra.interq.or.jp>

Lord, what fools these mortals be!
--- William Shakespeare, "A Midsummer-Night's Dream"
[diff.txt (text/plain, inline)]
diff -u -rN osh-1.7-unmodified/debian/changelog osh-1.7/debian/changelog
--- osh-1.7-unmodified/debian/changelog	2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/debian/changelog	2005-11-09 23:34:41.000000000 +0900
@@ -1,3 +1,12 @@
+osh (1.7-15) unstable; urgency=high
+
+  * urgency set to high because this version fixes a bug that causes
+    unauthorized privilege escalation (thanks to Charles Stevenson
+    <core@bokeoa.com> for the bug report)
+  * main.c: don't overwrite the return value of getenv() (closes: #338312)
+
+ -- Oohara Yuuma <oohara@debian.org>  Wed,  9 Nov 2005 23:05:52 +0900
+
 osh (1.7-14) unstable; urgency=high
 
   * urgency set to high because this version fixes a buffer overflow
diff -u -rN osh-1.7-unmodified/main.c osh-1.7/main.c
--- osh-1.7-unmodified/main.c	2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/main.c	2005-11-09 23:34:41.000000000 +0900
@@ -442,31 +442,33 @@
 	  fprintf(stderr,"Illegal or too long environment variable\n");
 	  break;
 	}
-	if ((env2=getenv(env))==NULL) {
-	  char temp[255];
-	  char *temp2;
-	  
-	  strcpy(temp,env);
-	  if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
-	    if (temp2!=temp)
-	      *temp2='\0';
-	    else
-	      *(temp2+1)='\0';
-	    if ((env2=getenv(temp))!=NULL) {
-	      strcat(env2,"/");
-	      strcat(env2,temp2+1);
-	    }
-	  }
-	}	
-	if (env2==NULL) {
-	  fprintf(stderr,"Nonexistent environment variable\n");
-	  break;
-	}
-	if ((argv[argc]=(char *)malloc(strlen(env2)+1))==NULL) {
-	  fprintf(stderr,"Out of arg memory\n");
-	  break;
-	}
-	strcpy(argv[argc],env2);
+        {
+          char temp[255];
+          /* temp2+1 is "" which is a valid string */
+	  char *temp2 = "\0";
+
+          if ((env2=getenv(env))==NULL) {
+            strcpy(temp,env);
+            if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
+              if (temp2!=temp)
+                *temp2='\0';
+              else
+                *(temp2+1)='\0';
+              env2=getenv(temp);
+            }
+          }
+          if (env2==NULL) {
+            fprintf(stderr,"Nonexistent environment variable\n");
+            break;
+          }
+          if ((argv[argc]=(char *)malloc(strlen(env2)+strlen(temp2+1)+1))==NULL) {
+            fprintf(stderr,"Out of arg memory\n");
+            break;
+          }
+          strcpy(argv[argc],env2);
+          strcpy(argv[argc]+strlen(env2), temp2+1);
+          *(argv[argc]+strlen(env2)+strlen(temp2+1)) = '\0';
+        } /* of temp[] and *temp2 declaration */
 	argc++;
 	continue;
       case TPIPE:

Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #15 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: Charles Stevenson <core@bokeoa.com>, 338312@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Wed, 9 Nov 2005 16:12:11 +0000
On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:

> Due to a bug in the environment variable substitution code it is
> possible to inject environment variables such as LD_PRELOAD and gain a
> root shell.

  Confirmed.

  Joey we'll need an ID for it.
  
  I guess we need to use two buffers to handle the expansion correctly...

Steve
--



Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #20 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Steve Kemp <skx@debian.org>
Cc: Charles Stevenson <core@bokeoa.com>, 338312@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Wed, 9 Nov 2005 21:22:40 +0100
Steve Kemp wrote:
> On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:
> 
> > Due to a bug in the environment variable substitution code it is
> > possible to inject environment variables such as LD_PRELOAD and gain a
> > root shell.
> 
>   Confirmed.
> 
>   Joey we'll need an ID for it.

Please use CVE-2005-3344 and inform vendor-sec.

Regards,

	Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #25 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Steve Kemp <skx@debian.org>
Cc: Charles Stevenson <core@bokeoa.com>, 338312@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Wed, 9 Nov 2005 21:27:22 +0100
Steve Kemp wrote:
> > Due to a bug in the environment variable substitution code it is
> > possible to inject environment variables such as LD_PRELOAD and gain a
> > root shell.

Charles Stevenson discovered that osh, the operator's shell for
executing defined programs in a privileged environment, does not
handle environment variables properly, allowing a local attacker to
open a root shell.

Please take care of the package for woody as well.

Regards,

	Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #30 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Steve Kemp <skx@debian.org>, Charles Stevenson <core@bokeoa.com>, 338312@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Wed, 9 Nov 2005 23:24:49 +0100
Martin Schulze wrote:
> > > Due to a bug in the environment variable substitution code it is
> > > possible to inject environment variables such as LD_PRELOAD and gain a
> > > root shell.
> > 
> >   Confirmed.
> > 
> >   Joey we'll need an ID for it.
> 
> Please use CVE-2005-3344 and inform vendor-sec.
             ^^^^^^^^^^^^^

You already used this for the insecure default configuration in horde3 (DSA-884).

Cheers,
        Moritz



Reply sent to Oohara Yuuma <oohara@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Charles Stevenson <core@bokeoa.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #35 received at 338312-close@bugs.debian.org (full text, mbox, reply):

From: Oohara Yuuma <oohara@debian.org>
To: 338312-close@bugs.debian.org
Subject: Bug#338312: fixed in osh 1.7-15
Date: Wed, 09 Nov 2005 14:18:10 -0800
Source: osh
Source-Version: 1.7-15

We believe that the bug you reported is fixed in the latest version of
osh, which is due to be installed in the Debian FTP archive:

osh_1.7-15.diff.gz
  to pool/main/o/osh/osh_1.7-15.diff.gz
osh_1.7-15.dsc
  to pool/main/o/osh/osh_1.7-15.dsc
osh_1.7-15_i386.deb
  to pool/main/o/osh/osh_1.7-15_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 338312@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Oohara Yuuma <oohara@debian.org> (supplier of updated osh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  9 Nov 2005 23:05:52 +0900
Source: osh
Binary: osh
Architecture: source i386
Version: 1.7-15
Distribution: unstable
Urgency: high
Maintainer: Oohara Yuuma <oohara@debian.org>
Changed-By: Oohara Yuuma <oohara@debian.org>
Description: 
 osh        - Operator's Shell
Closes: 338312
Changes: 
 osh (1.7-15) unstable; urgency=high
 .
   * urgency set to high because this version fixes a bug that causes
     unauthorized privilege escalation (thanks to Charles Stevenson
     <core@bokeoa.com> for the bug report)
   * main.c: don't overwrite the return value of getenv() (closes: #338312)
Files: 
 ca036c5484091fa935e20df7b3b64b93 553 shells extra osh_1.7-15.dsc
 2ceeb3cfac4dad6c0288365add91cc1e 12713 shells extra osh_1.7-15.diff.gz
 05e6a964564264b5678db8c5c6a832ca 27782 shells extra osh_1.7-15_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcgcsQNb0LvRkppURAusCAJ956mjDvnN4kIwBGzpYjDzSI5c+0ACgu7hg
StPD2xuDEJEnaGSZVWS0Uds=
=e15U
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>:
Bug#338312; Package osh. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>. (full text, mbox, link).


Message #40 received at 338312@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Steve Kemp <skx@debian.org>, Charles Stevenson <core@bokeoa.com>, 338312@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#338312: osh: Environment Variable Input Validation Bug
Date: Thu, 10 Nov 2005 08:00:31 +0100
Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > > > Due to a bug in the environment variable substitution code it is
> > > > possible to inject environment variables such as LD_PRELOAD and gain a
> > > > root shell.
> > > 
> > >   Confirmed.
> > > 
> > >   Joey we'll need an ID for it.
> > 
> > Please use CVE-2005-3344 and inform vendor-sec.
>              ^^^^^^^^^^^^^
> 
> You already used this for the insecure default configuration in horde3 (DSA-884).

Stupid me.  I must have been distracted somehow.  Please use CVE-2005-3346
instead.

Moritz, thanks a lot for paying attention!

Regards,

	Joey

-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 14:27:58 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:53:54 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.