Debian Bug report logs - #448437
unp: Incomplete filename escaping

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Erich Schubert <erich@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 03:28:47 +0100

Package: unp
Version: 1.0.12
Severity: important
Tags: security

unp doesn't escape filenames properly. Try this:

touch empty
zip \`ls\`.zip empty
unp \`ls\`.zip

and it will give you a directory listing.

This means that any application using 'unp' for a generic decompression
utility might be vulnerable to a filename-based injection attack.

Maybe increase the severity level?

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

unp depends on no packages.

Versions of packages unp recommends:
ii  bzip2                         1.0.3-7    high-quality block-sorting file co

-- no debconf information

Message #10 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Erich Schubert <erich@debian.org>

Cc: 448437@bugs.debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 15:00:52 +0100

* Erich Schubert:

> unp doesn't escape filenames properly. Try this:
>
> touch empty
> zip \`ls\`.zip empty
> unp \`ls\`.zip
>
> and it will give you a directory listing.

This should be fixed not by escaping file names, but by using Perl's
"system" function which takes a list of arguments (and does not invoke
the shell).

Message #15 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Erich Schubert <erich@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 448437@bugs.debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 16:09:13 +0100

Hi,
> This should be fixed not by escaping file names, but by using Perl's
> "system" function which takes a list of arguments (and does not invoke
> the shell).

Yeah, sorry, that was what I meant basically... right now, unp does
something like \"$filename\" which is really naive...
One of the things that made me use Python for most of the things I've
been using Perl before was the great subprocess module. That's the first
API I've ever seen which makes it nicer to do these things right than
doing them the wrong way...

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
  There is no branch of mathematics, however abstract, which may not  //\
 some day be applied to phenomena of the real world. --- Lobatchevsky V_/_
    Wirklich gute Freunde machen sich erst aus dem Staub, wenn man
            sie braucht. --- Charles Maurice de Tayllerand

Message #20 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <edi@gmx.de>

To: Erich Schubert <erich@debian.org>, 448437@bugs.debian.org

Cc: Florian Weimer <fw@deneb.enyo.de>

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 20:43:30 +0100

#include <hallo.h>
* Erich Schubert [Mon, Oct 29 2007, 04:09:13PM]:
> Hi,
> > This should be fixed not by escaping file names, but by using Perl's
> > "system" function which takes a list of arguments (and does not invoke
> > the shell).
> 
> Yeah, sorry, that was what I meant basically... right now, unp does
> something like \"$filename\" which is really naive...

ACK. There are lots of kludges therein, I am fixing it right now.

> One of the things that made me use Python for most of the things I've
> been using Perl before was the great subprocess module. That's the first
> API I've ever seen which makes it nicer to do these things right than
> doing them the wrong way...

Nah, you can make a wrapper easily which does it very well.

Regards,
Eduard.
-- 
<youam> au ja! kratz mich, beiss mich, sende mir TOFU!

Message #25 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <edi@gmx.de>

To: Florian Weimer <fw@deneb.enyo.de>, 448437@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 23:02:36 +0100

[Message part 1 (text/plain, inline)]

#include <hallo.h>
* Florian Weimer [Mon, Oct 29 2007, 03:00:52PM]:
> * Erich Schubert:
> 
> > unp doesn't escape filenames properly. Try this:
> >
> > touch empty
> > zip \`ls\`.zip empty
> > unp \`ls\`.zip
> >
> > and it will give you a directory listing.
> 
> This should be fixed not by escaping file names, but by using Perl's
> "system" function which takes a list of arguments (and does not invoke
> the shell).

Yes, yes, but that's more complicated. I just tried to rewrite this
script in "good Perl" and it's a lot more work to do it right.

Security team: please consider using the attached patch. It is a quick
fix which uses libstring-shellquote-perl on @ARGV instead of the stupid
doublequote protection before.

Regards,
Eduard.

-- 
<hillu> sudo vi /etc/aliases
<hillu> *argh*
<Salz> Password:

[quick_quoting_fix.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Eduard Bloch <edi@gmx.de>

Cc: 448437@bugs.debian.org, security@debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Mon, 29 Oct 2007 23:37:18 +0100

* Eduard Bloch:

> Security team: please consider using the attached patch. It is a quick
> fix which uses libstring-shellquote-perl on @ARGV instead of the stupid
> doublequote protection before.

I'd rather like to avoid introducing a new dependency in a security
update, but it's probably a bit difficult to properly implement the
command pipes (not just a couple of one-liners).

uudecode support also introduces a directory traversal vulnerability,
but this could be considered a bug in uudecode, too.  unshar support
leads to direct code execution.  I haven't checked the other unpackers.

Message #35 received at 448437-close@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>

To: 448437-close@bugs.debian.org

Subject: Bug#448437: fixed in unp 1.0.13

Date: Sat, 15 Dec 2007 23:17:12 +0000

Source: unp
Source-Version: 1.0.13

We believe that the bug you reported is fixed in the latest version of
unp, which is due to be installed in the Debian FTP archive:

unp_1.0.13.dsc
  to pool/main/u/unp/unp_1.0.13.dsc
unp_1.0.13.tar.gz
  to pool/main/u/unp/unp_1.0.13.tar.gz
unp_1.0.13_all.deb
  to pool/main/u/unp/unp_1.0.13_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated unp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Dec 2007 14:20:21 +0100
Source: unp
Binary: unp
Architecture: source all
Version: 1.0.13
Distribution: unstable
Urgency: low
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 unp        - unpack (almost) everything with one command
Closes: 448437
Changes: 
 unp (1.0.13) unstable; urgency=low
 .
   * Security fix: proper quoting of some commands using
     libstring-shellquote-perl (closes: #448437)
Files: 
 5ee49665f55ec5da9e6291d5e198a882 484 utils extra unp_1.0.13.dsc
 3add3460019ad1cd2ed87de14d3a0833 8767 utils extra unp_1.0.13.tar.gz
 0aaf0fc0f87e8408558478198f34ccb9 9686 utils extra unp_1.0.13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHZF8D4QZIHu3wCMURApaaAJ97q46RgKcz3UfJ0C1T6DDfX2JIbwCfQ6kr
umjBOWYyVLeeDiemm+M/Ueo=
=sHLS
-----END PGP SIGNATURE-----

Message #40 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <edi@gmx.de>

To: Florian Weimer <fw@deneb.enyo.de>, 448437@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Sun, 16 Dec 2007 00:36:45 +0100

#include <hallo.h>
* Florian Weimer [Mon, Oct 29 2007, 11:37:18PM]:
> * Eduard Bloch:
> 
> > Security team: please consider using the attached patch. It is a quick
> > fix which uses libstring-shellquote-perl on @ARGV instead of the stupid
> > doublequote protection before.
> 
> I'd rather like to avoid introducing a new dependency in a security
> update, but it's probably a bit difficult to properly implement the
> command pipes (not just a couple of one-liners).

Like it or not, this is the fix I suggest ATM. Use it, or find another
solution, or wait a (long) while.

Regards,
Eduard.

-- 
<panthera> BadWolf: pisa laesst gruessen
<+pearl> panthera: lol
<+pearl> panthera: da hab ich mitgemacht *g*
<panthera> das erklaert einiges

Message #45 received at 448437-close@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>

To: 448437-close@bugs.debian.org

Subject: Bug#448437: fixed in unp 1.0.14

Date: Tue, 25 Dec 2007 02:32:02 +0000

Source: unp
Source-Version: 1.0.14

We believe that the bug you reported is fixed in the latest version of
unp, which is due to be installed in the Debian FTP archive:

unp_1.0.14.dsc
  to pool/main/u/unp/unp_1.0.14.dsc
unp_1.0.14.tar.gz
  to pool/main/u/unp/unp_1.0.14.tar.gz
unp_1.0.14_all.deb
  to pool/main/u/unp/unp_1.0.14_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated unp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Dec 2007 00:51:13 +0100
Source: unp
Binary: unp
Architecture: source all
Version: 1.0.14
Distribution: unstable
Urgency: low
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 unp        - unpack (almost) everything with one command
Closes: 448437 457134
Changes: 
 unp (1.0.14) unstable; urgency=low
 .
   * Stop using libstring-shellquote-perl, it breaks things (closes: #457134)
   * Code review and rewrite of potentially dangerous methods, using
     environment variables and shell arguments to pass the variables
     to called commands (now really closes: #448437)
   * Debian packaging cleanup
Files: 
 31aa38d2262d785efd8e4fce4eb00a05 475 utils extra unp_1.0.14.dsc
 af6f1faedb5a12216382362170d13d27 8859 utils extra unp_1.0.14.tar.gz
 71ec39ce85d853146e1cefc55e7b2333 9968 utils extra unp_1.0.14_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHcGkT4QZIHu3wCMURAiDXAJoChHjMaqkorAhGBg/HEdOEMs7vIwCfe/Bi
9OVNA4aPArBMDsqZ2JfHqWc=
=/xMt
-----END PGP SIGNATURE-----

Message #56 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Erich Schubert <erich@debian.org>

To: 448437 <448437@bugs.debian.org>

Subject: Filename escaping in 'unp' still incomplete

Date: Mon, 25 Feb 2008 23:05:23 +0100

unarchive 448437
reopen 448437
thanks

Filename escaping in unp is still incomplete:

$ rar a test.rar /etc/motd
$ dd if=test.rar of=broken\ archive.rar count=1 bs=50
$ unp broken\ archive.rar

RAR 3.71   Copyright (c) 1993-2007 Alexander Roshal   20 Sep 2007
Shareware version         Type RAR -? for help

 - the file header is corrupt

Extracting from broken archive.rar

 - the file header is corrupt
Cannot create 
No such file or directory
WARNING: Attempting to correct the invalid file name
Cannot create 
No such file or directory
Unexpected end of archive
No files to extract
broken archive.rar - unknown extension, checking with file
ar: broken: No such file or directory
---

Notice how in the first run, rar is given the correct filename, whereas
in the second try (unp shouldn't try rar again if it didn't work in
first place, but that's a different bug) after guessing the file type
with "file" it doesn't properly escape the filename.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
       The future is here. It's just not evenly distributed yet.       //\
Freundschaft vermehrt die Freuden und teilt das Leid. --- Henry G. BohnV_/_

Message #61 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: control@bugs.debian.org

Cc: 448437@bugs.debian.org

Subject: Re: unp: Incomplete filename escaping

Date: Wed, 23 Apr 2008 21:09:56 +0200

severity 448437 grave
thanks

Erich Schubert wrote:
> Package: unp
> Version: 1.0.12
> Severity: important
> Tags: security
> 
> unp doesn't escape filenames properly. Try this:
> 
> touch empty
> zip \`ls\`.zip empty
> unp \`ls\`.zip
> 
> and it will give you a directory listing.
> 
> This means that any application using 'unp' for a generic decompression
> utility might be vulnerable to a filename-based injection attack.
> 
> Maybe increase the severity level?

Indeed.

Cheers,
        Moritz

Message #68 received at 448437@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Eduard Bloch <edi@gmx.de>

Cc: 448437@bugs.debian.org, security@debian.org

Subject: Re: Bug#448437: unp: Incomplete filename escaping

Date: Sat, 17 May 2008 16:09:06 +0200

[Message part 1 (text/plain, inline)]

On Monday 29 October 2007 23:02, Eduard Bloch wrote:
> Yes, yes, but that's more complicated. I just tried to rewrite this
> script in "good Perl" and it's a lot more work to do it right.
>
> Security team: please consider using the attached patch. It is a quick
> fix which uses libstring-shellquote-perl on @ARGV instead of the stupid
> doublequote protection before.

I see from the bug log that the suggested patch turned out to be not 
sufficient. Do you as the maintainer have a suggestion for an updated patch 
to fix the issue in stable?


thanks,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #73 received at 448437-close@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>

To: 448437-close@bugs.debian.org

Subject: Bug#448437: fixed in unp 1.0.15

Date: Sun, 18 May 2008 01:17:04 +0000

Source: unp
Source-Version: 1.0.15

We believe that the bug you reported is fixed in the latest version of
unp, which is due to be installed in the Debian FTP archive:

unp_1.0.15.dsc
  to pool/main/u/unp/unp_1.0.15.dsc
unp_1.0.15.tar.gz
  to pool/main/u/unp/unp_1.0.15.tar.gz
unp_1.0.15_all.deb
  to pool/main/u/unp/unp_1.0.15_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated unp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 May 2008 23:37:43 +0200
Source: unp
Binary: unp
Architecture: source all
Version: 1.0.15
Distribution: unstable
Urgency: medium
Maintainer: Eduard Bloch <blade@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 unp        - unpack (almost) everything with one command
Closes: 318338 339695 355832 357933 448437 460159 466824
Changes: 
 unp (1.0.15) unstable; urgency=medium
 .
   * extended previous fix of 448437, reapplying corrections after alternative
     detection of the filetype (closes: #448437). Also fixed ucat.
   * filtering file's output to not stumble over stuff in input filenames
   * disabled macunpack support, needs serious fixing (deferred)
   * typo fixes ("unarchive", closes: #339695), manpage usage chapter
     (closes: #355832)
   * added reference to unrar-free package in user hints (that's enough
     "support", the unrar command is provided via alternatives; closes: #357933)
   * Added new file formats (7z, jar, war, ear, adf), based on a patch by
     Philippe Coval (closes: #318338)
   * updated package description (closes: #466824)
   * added -av- to rar/unrar options (closes: #460159)
   * debian/copyright file update
Checksums-Sha1: 
 ec0293d21d0c5487f51be34431d9208f1783105f 668 unp_1.0.15.dsc
 2cc459746af09b939dfd7ba06f32727147654c4c 10153 unp_1.0.15.tar.gz
 3a0c79ddb20aada0d8c963b1315403130ff712a9 10984 unp_1.0.15_all.deb
Checksums-Sha256: 
 eb485bbdac768b332e5ec8e4c694156815e37893f2d5a0d1f0a441bff3c73e55 668 unp_1.0.15.dsc
 915285272297d84ad5f73f6e02c1471b3076a55ad32939e3ab48cd8b8b2365d3 10153 unp_1.0.15.tar.gz
 be18f5a2cc61de3f7d1011853ecffa60a0a4f3e12ebb6839e29f9d0aa3cb6d65 10984 unp_1.0.15_all.deb
Files: 
 8d3ecb12f80d988f28c52875b526eee7 668 utils extra unp_1.0.15.dsc
 bcf45819ac76093bba7b4a3f5b3a4bff 10153 utils extra unp_1.0.15.tar.gz
 0826a2677ba6140e204f4be3adb6893d 10984 utils extra unp_1.0.15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIL4Ms4QZIHu3wCMURAppAAJ49Ciz3L7HOPoo6KvH46V3P3HjmhACfU6jO
aBkHIWjxTOoQBwFysFzgQOM=
=Ucmr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.