Debian Bug report logs - #417789
elinks: elinks uses untrusted gettext catalog

version graph

Package: elinks; Maintainer for elinks is Moritz Muehlenhoff <jmm@debian.org>; Source for elinks is src:elinks.

Reported by: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>

Date: Wed, 4 Apr 2007 15:24:13 UTC

Severity: grave

Tags: patch, security

Found in version elinks/0.11.1-1.2

Fixed in version elinks/0.11.1-1.4

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>:
New Bug report received and forwarded. Copy sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>, Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: elinks: elinks uses untrusted gettext catalog
Date: Wed, 04 Apr 2007 17:11:44 +0200
Package: elinks
Version: 0.11.1-1.2
Severity: grave
Tags: security, patch

Hi,

Elinks loads untrusted gettext catalog from the relative directory
"../po/", and crashes (SIGSEGV) if the loaded file is corrupted.  You
can check by yourself with with the following commands:

$ mkdir -p /tmp/elinks/{run,po}
$ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo
$ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200
$ cd /tmp/elinks/run

$ LANG=fr_FR strace -eopen -otrace elinks
[...]
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
open("/usr/share/locale/locale.alias", O_RDONLY|O_LARGEFILE) = 3
open("../po/fr_FR.gmo", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/fr_FR/LC_MESSAGES/messages.mo", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("../po/fr.gmo", O_RDONLY|O_LARGEFILE) = 3
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Process 29917 detached

A gdb backtrace is included at the end of the message.

I tagged this bug as grave+security because it can be used to make
elinks load any corrupted file, and possibly execute arbitrary code.

Imagine an evil user placing some specially crafted files in
"/tmp/po/".  Then, another user (root for example) runs elinks from a
directory "/tmp/foo/", and thus loads the bad file(s).

A quick grep for '\.\./po' in the elinks sources gives the culprit
function : add_filename_to_string() around line 216 of file
"elinks-0.11.1/src/intl/gettext/loadmsgcat.c".

IMHO, changing this function to return NULL unconditionally should fix
the problem (I did not want to download all the build dependencies to
verify).

Regards,

        Arnaud Giersch


$ gdb -q /usr/bin/elinks -c core
(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libgnutls.so.13...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgnutls.so.13
Reading symbols from /usr/lib/liblua50.so.5.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblua50.so.5.0
Reading symbols from /usr/lib/liblualib50.so.5.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblualib50.so.5.0
Reading symbols from /lib/tls/i686/cmov/libm.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libperl.so.5.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libperl.so.5.8
Reading symbols from /lib/tls/i686/cmov/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libdl.so.2
Reading symbols from /lib/tls/i686/cmov/libpthread.so.0...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0
Reading symbols from /lib/tls/i686/cmov/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /usr/lib/libgpm.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgpm.so.1
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libbz2.so.1.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libbz2.so.1.0
Reading symbols from /usr/lib/libexpat.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libexpat.so.1
Reading symbols from /usr/lib/libgnutls-openssl.so.13...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgnutls-openssl.so.13
Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/libgcrypt.so.11...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgcrypt.so.11
Reading symbols from /usr/lib/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgpg-error.so.0
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...(no debugging symbols found)...done.

(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
(no debugging symbols found)
Core was generated by `elinks'.
Program terminated with signal 11, Segmentation fault.
#0  0x0809da6c in _nl_find_msg ()
(gdb)  where
#0  0x0809da6c in _nl_find_msg ()
#1  0x0809f4fe in _nl_init_domain_conv ()
#2  0x0809fc28 in _nl_load_domain ()
#3  0x0809e896 in _nl_find_domain ()
#4  0x0809de99 in dcigettext__ ()
#5  0x0809d4c1 in dcgettext__ ()
#6  0x0809e8c2 in gettext__ ()
#7  0x080a356e in get_dyn_full_version ()
#8  0x080a36c9 in init_static_version ()
#9  0x080a1e8c in init_interlink ()
#10 0x080a2be0 in select_loop ()
#11 0x080a2444 in main ()
(gdb) 

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages elinks depends on:
ii  debconf                     1.5.11       Debian configuration management sy
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libexpat1                   1.95.8-3.4   XML parsing C library - runtime li
ii  libgnutls13                 1.4.4-3      the GNU TLS library - runtime libr
ii  libgpmg1                    1.19.6-25    General Purpose Mouse - shared lib
ii  liblua50                    5.0.3-2      Main interpreter library for the L
ii  liblualib50                 5.0.3-2      Extension library for the Lua 5.0 
ii  libperl5.8                  5.8.8-7      Shared Perl library
ii  zlib1g                      1:1.2.3-13   compression library - runtime

elinks recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Eddy Petrișor <eddy.petrisor@gmail.com>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #10 received at 417789@bugs.debian.org (full text, mbox):

From: Eddy Petrișor <eddy.petrisor@gmail.com>
To: 417789@bugs.debian.org, control@bugs.debian.org
Subject: this doesn't seem like a security issue
Date: Wed, 04 Apr 2007 20:04:52 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 417789 -security
thanks

> I tagged this bug as grave+security because it can be used to make
> elinks load any corrupted file, and possibly execute arbitrary code.

How? Those are only strings. Nothing is executed from po/mo/gmo files.

> Imagine an evil user placing some specially crafted files in
> "/tmp/po/".  Then, another user (root for example) runs elinks from a
> directory "/tmp/foo/", and thus loads the bad file(s).

If they are loaded, that doesn't mean they are executed.

I won't deny that the relative path thingie leads to segfault (I
haven't tested), but the security tag doesn't seem justified.

- --
Regards,
EddyP
=============================================
"Imagination is more important than knowledge" A.Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGE9qzY8Chqv3NRNoRAgS4AJ9QhbdIeovqdFZlmKqVhDREcxhGkQCfeZi1
Ru7qVfge1S0ofWGjCwj8fwc=
=bLEZ
-----END PGP SIGNATURE-----



Tags removed: security Request was from Eddy Petrișor <eddy.petrisor@gmail.com> to control@bugs.debian.org. (Wed, 04 Apr 2007 17:21:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #17 received at 417789@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Eddy Petrișor <eddy.petrisor@gmail.com>, 417789@bugs.debian.org
Subject: Re: Bug#417789: this doesn't seem like a security issue
Date: Wed, 4 Apr 2007 13:18:34 -0700
tags 417789 security
thanks

On Wed, Apr 04, 2007 at 08:04:52PM +0300, Eddy Petrișor wrote:

> > I tagged this bug as grave+security because it can be used to make
> > elinks load any corrupted file, and possibly execute arbitrary code.

> How? Those are only strings. Nothing is executed from po/mo/gmo files.

You've audited the code and proven that the segfault in elinks2 can't be
exploited into an arbitrary code execution bug?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Tags added: security Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Wed, 04 Apr 2007 20:24:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #24 received at 417789@bugs.debian.org (full text, mbox):

From: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>
To: eddy.petrisor@gmail.com, 417789@bugs.debian.org
Subject: Re: this doesn't seem like a security issue
Date: Thu, 05 Apr 2007 17:06:37 +0200
On Wed, Apr 04, 2007 at 08:04:52PM +0300, Eddy Petri\u0219or wrote:

> > I tagged this bug as grave+security because it can be used to make
> > elinks load any corrupted file, and possibly execute arbitrary code.

> How? Those are only strings. Nothing is executed from po/mo/gmo files.

Beside the segfault that could potentially be exploited, as it was
already answered by Steve Langasek, I can see another attack vector.

Since the attacker has the full control of the gettext catalog, I
suspect that some sort of format string attack could be doable (I
haven't tried).

        Arnaud



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #29 received at 417789@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>, 417789@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#417789: elinks: elinks uses untrusted gettext catalog
Date: Sun, 29 Apr 2007 01:22:58 +0200
[Message part 1 (text/plain, inline)]
On Wed, Apr  4, 2007 at 17:11:44 +0200, Arnaud Giersch wrote:

> Package: elinks
> Version: 0.11.1-1.2
> Severity: grave
> Tags: security, patch
> 
> Hi,
> 
> Elinks loads untrusted gettext catalog from the relative directory
> "../po/", and crashes (SIGSEGV) if the loaded file is corrupted. 

Hi,

I prepared a NMU for this bug, patch attached.  The patch simply
disables the "feature" which lead to the opening of untrusted files.

Security team, I'll prepare packages for sarge and etch, let me know if
I can upload to {,old}stable-security.

Cheers,
Julien
[elinks-417789.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 417789-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 417789-close@bugs.debian.org
Subject: Bug#417789: fixed in elinks 0.11.1-1.4
Date: Sun, 29 Apr 2007 00:32:03 +0000
Source: elinks
Source-Version: 0.11.1-1.4

We believe that the bug you reported is fixed in the latest version of
elinks, which is due to be installed in the Debian FTP archive:

elinks-lite_0.11.1-1.4_i386.deb
  to pool/main/e/elinks/elinks-lite_0.11.1-1.4_i386.deb
elinks_0.11.1-1.4.diff.gz
  to pool/main/e/elinks/elinks_0.11.1-1.4.diff.gz
elinks_0.11.1-1.4.dsc
  to pool/main/e/elinks/elinks_0.11.1-1.4.dsc
elinks_0.11.1-1.4_i386.deb
  to pool/main/e/elinks/elinks_0.11.1-1.4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 417789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated elinks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 29 Apr 2007 00:18:54 +0200
Source: elinks
Binary: elinks-lite elinks
Architecture: source i386
Version: 0.11.1-1.4
Distribution: unstable
Urgency: high
Maintainer: Peter Gervai <grin@tolna.net>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 elinks     - advanced text-mode WWW browser
 elinks-lite - advanced text-mode WWW browser (lite version)
Closes: 417789
Changes: 
 elinks (0.11.1-1.4) unstable; urgency=high
 .
   * Non-maintainer security upload.
   * Don't look for gettext message catalogs in ../po/ (closes: #417789).
     Thanks, Arnaud Giersch! Reference: CVE-2007-2027.
Files: 
 4040eff6942613684fb9517b5b6181c9 768 web optional elinks_0.11.1-1.4.dsc
 1333d86643a26ab29db3c615d24cab00 28360 web optional elinks_0.11.1-1.4.diff.gz
 432881cc9046e4c30fdf9a3241cb7e36 1179828 web optional elinks_0.11.1-1.4_i386.deb
 32bc2e8aa8fc1796f0f2110594fd337e 417316 web optional elinks-lite_0.11.1-1.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGM+TJmEvTgKxfcAwRAiO+AJ95A8Rb/DZ7VolotfkkHnW/jKmF+ACeObor
ioiZVHy4f2I1Xs3g7Pkj9Cc=
=n8y+
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #39 received at 417789@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Julien Cristau <jcristau@debian.org>
Cc: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>, 417789@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#417789: elinks: elinks uses untrusted gettext catalog
Date: Sun, 29 Apr 2007 12:03:20 +0200
Julien Cristau wrote:
> On Wed, Apr  4, 2007 at 17:11:44 +0200, Arnaud Giersch wrote:
> 
> > Package: elinks
> > Version: 0.11.1-1.2
> > Severity: grave
> > Tags: security, patch
> > 
> > Hi,
> > 
> > Elinks loads untrusted gettext catalog from the relative directory
> > "../po/", and crashes (SIGSEGV) if the loaded file is corrupted. 
> 
> Hi,
> 
> I prepared a NMU for this bug, patch attached.  The patch simply
> disables the "feature" which lead to the opening of untrusted files.
> 
> Security team, I'll prepare packages for sarge and etch, let me know if
> I can upload to {,old}stable-security.

I don't see evidence this allows code injection, please point me to the
code in question.

Even if, the attack vector would be far too obscure to make this relevant
in practice.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Kalle Olavi Niemitalo <kon@iki.fi>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #44 received at 417789@bugs.debian.org (full text, mbox):

From: Kalle Olavi Niemitalo <kon@iki.fi>
To: 417789@bugs.debian.org
Subject: Re: Bug#417789: fixed in elinks 0.11.1-1.4
Date: Fri, 04 May 2007 10:57:07 +0300
[Message part 1 (text/plain, inline)]
Julien Cristau <jcristau@debian.org> writes:

>  elinks (0.11.1-1.4) unstable; urgency=high
>  .
>    * Non-maintainer security upload.
>    * Don't look for gettext message catalogs in ../po/ (closes: #417789).
>      Thanks, Arnaud Giersch! Reference: CVE-2007-2027.

A less paranoid fix has been checked in to elinks-0.11 and
elinks-0.12 in Git.  If you want to review it, now is the time.

http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=928f364ba2803f98d71775dc03b694d6403c0754
http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=110c564af3c12f40743b7e1adcfd3a034d73b601
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #49 received at 417789@bugs.debian.org (full text, mbox):

From: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>
To: Kalle Olavi Niemitalo <kon@iki.fi>
Cc: 417789@bugs.debian.org
Subject: Re: Bug#417789: fixed in elinks 0.11.1-1.4
Date: Sat, 05 May 2007 16:10:06 +0200
Vendredi 04 mai 2007, vers 09:57:07 (+0200), Kalle Olavi Niemitalo a
écrit :

>>    * Don't look for gettext message catalogs in ../po/ (closes: #417789).
>>      Thanks, Arnaud Giersch! Reference: CVE-2007-2027.
>
> A less paranoid fix has been checked in to elinks-0.11 and
> elinks-0.12 in Git.  If you want to review it, now is the time.
>
> http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=928f364ba2803f98d71775dc03b694d6403c0754
> http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=110c564af3c12f40743b7e1adcfd3a034d73b601

Hi,

I don't believe that this patch really solves the security issue.  An
user may still be vulnerable if he wants to run his freshly compiled
(but not installed now) elinks.  This user would typically run it as
/path/to/elinks/src/elinks.  If his cwd is not in the elinks sources,
a wrong gettext catalog may be opened.

I however agree that the risk is pretty low.  I was personally more
concerned by autofs failing to mount /home/po/ each time I ran elinks
from my home directory.

I understand that it is an important feature for translators.  IMHO, a
suitable solution can be :

* enabling this code with --enable-debug like you apparently thought
  about ;

* removing the hard-coded "../po/" path, and letting the user specify
  his preferred path, either with a command line option, or with some
  environment variable.

Regards,
        Arnaud Giersch



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Kalle Olavi Niemitalo <kon@iki.fi>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #54 received at 417789@bugs.debian.org (full text, mbox):

From: Kalle Olavi Niemitalo <kon@iki.fi>
To: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>
Cc: 417789@bugs.debian.org
Subject: Re: Bug#417789: fixed in elinks 0.11.1-1.4
Date: Sat, 05 May 2007 23:14:33 +0300
[Message part 1 (text/plain, inline)]
Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr> writes:

> I don't believe that this patch really solves the security issue.  An
> user may still be vulnerable if he wants to run his freshly compiled
> (but not installed now) elinks.  This user would typically run it as
> /path/to/elinks/src/elinks.  If his cwd is not in the elinks sources,
> a wrong gettext catalog may be opened.

Thank you for your concern.  The patched ELinks 0.12.GIT
(d1fa336f7f390d9b51456498fac5dda8f54c18a4) appears to open the
correct gettext catalog in this case, regardless of what the
current working directory is.  Please see the GDB session below.

$ gdb --args ~/build/i686-pc-linux-gnu/elinks-0.12/src/elinks -no-connect
GNU gdb 6.5-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) list /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c:207,229
207     /* This is hacked for ELinks - we want to look up for the translations at the
208      * correct place even if we are being ran from the source/build tree. */
209     static struct string *
210     add_filename_to_string(struct string *str, struct loaded_l10nfile *domain_file)
211     {
212             unsigned char *slash = strrchr(program.path, '/');
213             size_t dirnamelen = (slash ? slash - program.path + 1 : 0);
214
215             /* Check if elinks is being run from the source tree. */
216             if (dirnamelen < 4
217                 || strncmp(program.path + dirnamelen - 4, "src", 3))
218                     return NULL;
219
220             if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
221                 || !add_to_string(str, "../po/")
222                 || !add_bytes_to_string(str,
223                                         (unsigned char *) domain_file->langdirname,
224                                         domain_file->langdirnamelen)
225                 || !add_to_string(str, ".gmo"))
226                     return NULL;
227
228             return str;
229     }
(gdb) break add_filename_to_string
Breakpoint 1 at 0x80c5453: file /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c, line 212.
(gdb) run
Starting program: /home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/elinks -no-connect
[Thread debugging using libthread_db enabled]
[New Thread -1216120064 (LWP 8749)]
[Switching to Thread -1216120064 (LWP 8749)]

Breakpoint 1, add_filename_to_string (str=0xbfbc844c, domain_file=0x819b820)
    at /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c:212
212             unsigned char *slash = strrchr(program.path, '/');
(gdb) print program.path
$1 = (unsigned char *) 0xbfbc942e "/home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/elinks"
(gdb) next
213             size_t dirnamelen = (slash ? slash - program.path + 1 : 0);
(gdb) print slash
$2 = (unsigned char *) 0xbfbc9461 "/elinks"
(gdb) next
216             if (dirnamelen < 4
(gdb) print dirnamelen
$3 = 52
(gdb) print program.path + dirnamelen - 4
$4 = (unsigned char *) 0xbfbc945e "src/elinks"
(gdb) next
220             if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen))
(gdb) print *str
$5 = {magic = 777777777, source = 0x81c3550 "", length = 0}
(gdb) print domain_file->langdirname[0]@domain_file->langdirnamelen
$6 = "fi_FI.UTF-8"
(gdb) next
228             return str;
(gdb) print *str
$7 = {magic = 777777777, source = 0x81c3550 "/home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/../po/fi_FI.UTF-8.gmo",
  length = 73}
(gdb)
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#417789; Package elinks. Full text and rfc822 format available.

Acknowledgement sent to Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>. Full text and rfc822 format available.

Message #59 received at 417789@bugs.debian.org (full text, mbox):

From: Arnaud Giersch <arnaud.giersch@iut-bm.univ-fcomte.fr>
To: Kalle Olavi Niemitalo <kon@iki.fi>
Cc: 417789@bugs.debian.org
Subject: Re: Bug#417789: fixed in elinks 0.11.1-1.4
Date: Sat, 05 May 2007 23:07:16 +0200
Samedi 05 mai 2007, vers 22:14:33 (+0200), Kalle Olavi Niemitalo a
écrit :

> Thank you for your concern.  The patched ELinks 0.12.GIT
> (d1fa336f7f390d9b51456498fac5dda8f54c18a4) appears to open the
> correct gettext catalog in this case, regardless of what the
> current working directory is.  Please see the GDB session below.

[...]

> (gdb) print *str
> $7 = {magic = 777777777, source = 0x81c3550 "/home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/../po/fi_FI.UTF-8.gmo",
>   length = 73}

You are right.  I missed the fact that "../po/" was appended to the
path to the binary, and not relative to the current working directory.

The only way to abuse this functionality that I can see now is the
improbable situation where the binary is run from some directory that
is not in the source tree, but whose name ends with "src".

        Arnaud



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 04 Jul 2007 08:29:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:33:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.