Debian Bug report logs - #854585
evilvte: Allows executing (unexpected) commands via mouse-clicks

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: evilvte: Allows executing (unexpected) commands via mouse-clicks

Date: Wed, 8 Feb 2017 13:07:18 +0000

Package: evilvte
Version: 0.5.1-1
Severity: important
Tags: security

Dear Maintainer,

Although a terminal is designed to execute commands it is unexpected
that clicking on hyperlinks would execute arbitrary code, and
unfortunately that is trivially possible.

Consider the following hyperlink:

   http://example.com';touch$IFS/tmp/blah'

If that is displayed in the shell it will be highlighted, completely,
and clicking upon it will do two things:

* open http://example.com/ in the users' browser (firefox).
* Create the file /tmp/blah

This comes from one of several regions of the code:


        g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", MATCH_STRING_L, matched_url);
      system(new_window_str);

Or:

      char new_window_str[256];
      if (event->button == 2)
        g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", MATCH_STRING_M, matched_url);
      system(new_window_str);

An evil attacker could use this to send a link by email, which would
be displayed via mutt/lumail/rmail/etc, and thus the user would click
upon it.

Mitigating factors: The string is capped to 240 characters or so, once
you remove "firefix '...'&" from the string.  So if a user has a
sufficiently wide terminal they might be OK ;)

Finally there is a simpler way opening a new window could also do evil things,
due to the use of `default_directory`:

        g_snprintf(new_window_str, sizeof(new_window_str), "cd '%s' ; %s &", default_directory, PROGRAM_NAME);
        system(new_window_str);


I'd suggest a decent audit of all uses of `system` to catch these flaws, but
I'd expect both of these flaws would qualify for CVE identifiers ..


-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages evilvte depends on:
ii  libc6         2.19-18+deb8u7
ii  libglib2.0-0  2.42.1-1+b1
ii  libgtk2.0-0   2.24.25-3+deb8u1
ii  libvte9       1:0.28.2-5

evilvte recommends no packages.

evilvte suggests no packages.

-- no debconf information

Message #10 received at 854585@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: 854585@bugs.debian.org

Subject: Re: Bug#854585: Acknowledgement (evilvte: Allows executing (unexpected) commands via mouse-clicks)

Date: Thu, 9 Feb 2017 05:44:12 +0000

Tags: patch

One approach at solving this problem would be to stop
highlighting the URL at the first "'" character.

This matches what gnome-terminal, and others, do already
even though I don't believe this character _should_ be
escaped.

This can be achieved by updating the regexp:


deagol ~/evilvte/src $ diff --unified macro2.h macro2.h.new 
--- macro2.h    2017-02-09 07:40:21.972749915 +0200
+++ macro2.h.new    2017-02-09 07:40:38.256749654 +0200
@@ -130,7 +130,7 @@
 #define LABEL_SUBMENU_IME "_Input Methods"
 #endif
 
-#define MATCH_HTTP_DATA "((f|F)|(h|H)(t|T))(t|T)(p|P)(s|S)?://(([^|.< \t\r\n\\\"]*([.][^|< \t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*[^< \t\r\n,;|\\\"]*[^|.< \t\r\n\\\"])?/*"
+#define MATCH_HTTP_DATA "((f|F)|(h|H)(t|T))(t|T)(p|P)(s|S)?://(([^|.< \t\r\n\\\"']*([.][^|< \t\r\n\\\"'])?[^|.< \t\r\n\\\"']*)*[^< \t\r\n,;|\\\"']*[^|.< \t\r\n\\\"'])?/*"
 #define MATCH_FILE_DATA "(f|F)(i|I)(l|L)(e|E):///(([^|.< \t\r\n\\\"]*([.][^|< \t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*[^< \t\r\n,;|\\\"]*[^|.< \t\r\n\\\"])?/*"
 #define MATCH_MAIL_DATA "(m|M)(a|A)(i|I)(l|L)(t|T)(o|O):(([^|.< \t\r\n\\\"]*([.][^|< \t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*@[^< \t\r\n,;|\\\"]*[^|.< \t\r\n\\\"])?/*"
 

That probably needs a sanity-check from the maintainer/upstream
somebody else.  I've just added ' everywhere I saw ".

Steve
--

Message #17 received at 854585-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 483308-done@bugs.debian.org,715873-done@bugs.debian.org,790168-done@bugs.debian.org,854585-done@bugs.debian.org,

Cc: evilvte@packages.debian.org, evilvte@packages.qa.debian.org

Subject: Bug#854661: Removed package(s) from unstable

Date: Tue, 14 Feb 2017 19:08:35 +0000

Version: 0.5.1-1+rm

Dear submitter,

as the package evilvte has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/854661

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.