Debian Bug report logs - #404233
CVE-2006-6678: Netrik arbitrary command execution

version graph

Package: netrik; Maintainer for netrik is Edelhard Becker <edelhard@debian.org>; Source for netrik is src:netrik.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Fri, 22 Dec 2006 18:18:02 UTC

Severity: grave

Tags: patch, security

Fixed in version 1.15.3-1.1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Edelhard Becker <edelhard@debian.org>:
Bug#404233; Package netrik. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Edelhard Becker <edelhard@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-6678: Netrik arbitrary command execution
Date: Fri, 22 Dec 2006 18:42:41 +0100
Package: netrik
Severity: grave
Tags: security
Justification: user security hole

A vulnerability has been reported in Netrik:

The edit_textarea function in form-file.c in Netrik 1.15.4 and earlier
does not properly verify temporary filenames when editing textarea
fields, which allows attackers to execute arbitrary commands via shell
metacharacters in the filename.

This is fixed in 1.15.5

Please mention the CVE id in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org, Edelhard Becker <edelhard@debian.org>:
Bug#404233; Package netrik. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Edelhard Becker <edelhard@debian.org>. Full text and rfc822 format available.

Message #10 received at 404233@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 404233@bugs.debian.org
Subject: Re: Bug#404233: CVE-2006-6678: Netrik arbitrary command execution
Date: Fri, 22 Dec 2006 22:20:37 +0000
On Fri, Dec 22, 2006 at 06:42:41PM +0100, Stefan Fritsch wrote:

> A vulnerability has been reported in Netrik:

  Thanks for the report.  Security update for Sarge is building now.

  Patch attached:

Steve
-- 

--- form-file.c 2003-08-06 10:28:45.000000000 +0000
+++ /home/skx/form-file.c       2006-12-22 22:19:12.000000000 +0000
@@ -10,6 +10,7 @@
  * (C) 2003 antrik
  */

+#include <ctype.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -107,6 +108,14 @@
       char             temp_name[size];
       snprintf(temp_name, size, format, name);

+      /* make sure we get a proper filename */
+      {
+        char   *chr;
+        for(chr=temp_name; *chr; ++chr)
+           if(!isalnum(*chr))    /* not safe filename char -> replace */
+              *chr='_';
+      }
+
       /* write temporary file */
       {
         int    fildes;




Tags added: patch Request was from Andreas Henriksson <andreas@fatal.se> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 404233-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 404233-done@bugs.debian.org
Subject: Netrik fixed in NMU
Date: Sun, 24 Dec 2006 23:12:29 +0100
Version: 1.15.3-1.1



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:11:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:05:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.