Debian Bug report logs - #422034
fbi: missing input sanitization

version graph

Package: fbi; Maintainer for fbi is Moritz Muehlenhoff <jmm@debian.org>; Source for fbi is src:fbi.

Reported by: Jakub Wilk <ubanus@users.sf.net>

Date: Thu, 3 May 2007 04:42:05 UTC

Severity: normal

Found in version fbi/2.05-2

Fixed in version fbi/2.06-2

Done: Moritz Muehlenhoff <jmm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ubanus@users.sf.net, Moritz Muehlenhoff <jmm@debian.org>:
Bug#422034; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Jakub Wilk <ubanus@users.sf.net>:
New Bug report received and forwarded. Copy sent to ubanus@users.sf.net, Moritz Muehlenhoff <jmm@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jakub Wilk <ubanus@users.sf.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fbi: missing input sanitization
Date: Thu, 3 May 2007 06:40:32 +0200
Package: fbi
Version: 2.05-2
Severity: normal

$ F='"; echo buggy > buggy.log; : "'
$ touch "$F"
$ fbi "$F" 2>/dev/null
$ cat buggy.log
buggy

-- System Information:
Debian Release: lenny/sid
 APT prefers testing
 APT policy: (900, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages fbi depends on:
ii  gs-gpl                    8.54.dfsg.1-5  The GPL Ghostscript PostScript int
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libcurl3                  7.15.5-1       Multi-protocol file transfer libra
ii  libexif12                 0.6.13-5       library to parse EXIF files
ii  libfontconfig1            2.4.2-1.2      generic font configuration library
ii  libfreetype6              2.2.1-5        FreeType 2 font engine, shared lib
ii  libjpeg62                 6b-13          The Independent JPEG Group's JPEG 
ii  libpcd2                   1.0.1-1        A library for reading PhotoCD imag
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libtiff4                  3.8.2-7        Tag Image File Format (TIFF) libra
ii  libungif4g                4.1.4-4        shared library for GIF images
ii  zlib1g                    1:1.2.3-13     compression library - runtime

fbi recommends no packages.

-- no debconf information

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#422034; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 422034@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Jakub Wilk <ubanus@users.sf.net>
Cc: 422034@bugs.debian.org, kraxel@bytesex.org
Subject: Re: fbi: missing input sanitization
Date: Sat, 1 Dec 2007 12:20:46 +0100
Jakub Wilk wrote:
> Package: fbi
> Version: 2.05-2
> Severity: normal
>
> $ F='"; echo buggy > buggy.log; : "'
> $ touch "$F"
> $ fbi "$F" 2>/dev/null
> $ cat buggy.log
> buggy

Confirmed. The problems is the use of popen() if an image is displayed
which needs to be converted by imagemagick:

    if (NULL == loader) {
        /* no loader found, try to use ImageMagick's convert */
        snprintf(command,sizeof(command),
                 "convert -depth 8 \"%s\" ppm:-",filename);
        if (NULL == (fp = popen(command,"r")))
            return NULL;
        loader = &ppm_loader;
    }

Since fbi is not suitable for non-interactive use and the filename would
need to contain the commands to be executed I don't consider this a
security problem. Still, it should be fixed.

CCing upstream. Gerd, the popen() call needs to be sanitised or replaced.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Moritz Muehlenhoff <jmm@debian.org>:
Bug#422034; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Gerd Hoffmann <kraxel@bytesex.org>:
Extra info received and forwarded to list. Copy sent to Moritz Muehlenhoff <jmm@debian.org>. Full text and rfc822 format available.

Message #15 received at 422034@bugs.debian.org (full text, mbox):

From: Gerd Hoffmann <kraxel@bytesex.org>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: Jakub Wilk <ubanus@users.sourceforge.net>, 422034@bugs.debian.org
Subject: Re: fbi: missing input sanitization
Date: Mon, 03 Dec 2007 11:31:27 +0100
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:
> Since fbi is not suitable for non-interactive use and the filename would
> need to contain the commands to be executed I don't consider this a
> security problem. Still, it should be fixed.
>   
It is at least quite hard to exploit remotely.  Even when configuring
fbi as image viewer in your text mode browser you'll usually end up with
an mkstemp()-generated, /tmp/foo-xrks73w style filename being passed to
fbi ...
> CCing upstream. Gerd, the popen() call needs to be sanitised or replaced
>   
Fixed in cvs, patch attached for reference.

cheers,
  Gerd

[fix (text/plain, inline)]
Index: fbi.c
===================================================================
RCS file: /home/cvsroot/fbida/fbi.c,v
retrieving revision 1.22
retrieving revision 1.24
diff -u -p -r1.22 -r1.24
--- fbi.c	25 Aug 2006 13:55:52 -0000	1.22
+++ fbi.c	3 Dec 2007 10:23:18 -0000	1.24
@@ -637,7 +637,6 @@ static void free_image(struct ida_image 
 static struct ida_image*
 read_image(char *filename)
 {
-    char command[1024];
     struct ida_loader *loader = NULL;
     struct ida_image *img;
     struct list_head *item;
@@ -666,11 +665,29 @@ read_image(char *filename)
     }
     if (NULL == loader) {
 	/* no loader found, try to use ImageMagick's convert */
-	snprintf(command,sizeof(command),
-		 "convert -depth 8 \"%s\" ppm:-",filename);
-	if (NULL == (fp = popen(command,"r")))
+	int p[2];
+
+	if (0 != pipe(p))
+	    return NULL;
+	switch (fork()) {
+	case -1: /* error */
+	    perror("fork");
+	    close(p[0]);
+	    close(p[1]);
 	    return NULL;
-	loader = &ppm_loader;
+	case 0: /* child */
+	    dup2(p[1], 1 /* stdout */);
+	    close(p[0]);
+	    close(p[1]);
+	    execlp("convert", "convert", "-depth", "8", filename, "ppm:-", NULL);
+	    exit(1);
+	default: /* parent */
+	    close(p[1]);
+	    fp = fdopen(p[0], "r");
+	    if (NULL == fp)
+		return NULL;
+	    loader = &ppm_loader;
+	}
     }
 
     /* load image */

Information forwarded to debian-bugs-dist@lists.debian.org, Moritz Muehlenhoff <jmm@debian.org>:
Bug#422034; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Moritz Muehlenhoff <jmm@debian.org>. Full text and rfc822 format available.

Message #20 received at 422034@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Gerd Hoffmann <kraxel@bytesex.org>, 422034@bugs.debian.org
Subject: Re: Bug#422034: fbi: missing input sanitization
Date: Tue, 4 Dec 2007 22:45:37 +0100
On Mon, Dec 03, 2007 at 11:31:27AM +0100, Gerd Hoffmann wrote:
> Moritz Muehlenhoff wrote:
> > Since fbi is not suitable for non-interactive use and the filename would
> > need to contain the commands to be executed I don't consider this a
> > security problem. Still, it should be fixed.
> >   
> It is at least quite hard to exploit remotely.  Even when configuring
> fbi as image viewer in your text mode browser you'll usually end up with
> an mkstemp()-generated, /tmp/foo-xrks73w style filename being passed to
> fbi ...
> > CCing upstream. Gerd, the popen() call needs to be sanitised or replaced
> >   
> Fixed in cvs, patch attached for reference.

Thanks Gerd. Do you have fbi release plans within the next months? Otherwise
I'll apply the patch to the Debian package.

Cheers,
        Moritz




Reply sent to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jakub Wilk <ubanus@users.sf.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 422034-close@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 422034-close@bugs.debian.org
Subject: Bug#422034: fixed in fbi 2.06-2
Date: Sat, 19 Jan 2008 23:47:02 +0000
Source: fbi
Source-Version: 2.06-2

We believe that the bug you reported is fixed in the latest version of
fbi, which is due to be installed in the Debian FTP archive:

exiftran_2.06-2_i386.deb
  to pool/main/f/fbi/exiftran_2.06-2_i386.deb
fbi_2.06-2.dsc
  to pool/main/f/fbi/fbi_2.06-2.dsc
fbi_2.06-2.tar.gz
  to pool/main/f/fbi/fbi_2.06-2.tar.gz
fbi_2.06-2_i386.deb
  to pool/main/f/fbi/fbi_2.06-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 422034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated fbi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 19 Jan 2008 18:30:42 +0100
Source: fbi
Binary: fbi exiftran
Architecture: source i386
Version: 2.06-2
Distribution: unstable
Urgency: low
Maintainer: Moritz Muehlenhoff <jmm@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 exiftran   - transform digital camera jpeg images
 fbi        - Linux frame buffer image viewer
Closes: 422034 460556
Changes: 
 fbi (2.06-2) unstable; urgency=low
 .
   * Stop using popen() when passing files to imagemagick for conversion.
     Problem spotted by Jakub Wilk. (Closes: #422034)
   * Add updated MIME definitions, kindly provided by Guillaume
     (giggzounet@gmail.com):
     - Don't wildcard all image files, only the ones that actually work
     - Add definitions for fbgs (Closes: #460556)
   * Stop using DH_COMPAT, instead use debian/compat
   * Bump to compat level 6 (no changes needed)
   * Bump standards version to 3.7.2 (no changes needed)
   * Depend on ghostscript, rather than gs-gpl
Files: 
 1c712cf17648ba60f7a003260fda514e 716 graphics optional fbi_2.06-2.dsc
 17de48c6873bdac6e2655fae4f80893b 217175 graphics optional fbi_2.06-2.tar.gz
 c82643541cbb974a249a3f799e61f890 54980 graphics optional fbi_2.06-2_i386.deb
 fb4460b394d28a22052c387d862e17eb 24604 graphics optional exiftran_2.06-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFHknTeXm3vHE4uyloRApWNAKCtidmX8lrs93Ig/mG9hIRUDjW1hgCXQ0Ax
IQmDQK8AjREGvqLBwU2HUg==
=JAXh
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 May 2008 09:46:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 15:52:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.