Ticket #2913 (closed defect: fixed)
CVE-2012-4463 mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly
Reported by: | iankko | Owned by: | slavazanko |
---|---|---|---|
Priority: | minor | Milestone: | 4.8.7 |
Component: | mc-core | Version: | 4.8.5 |
Keywords: | Security, CVE-2012-4463 | Cc: | onlyjob@…, jnovy@…, milan.cermak@… |
Blocked By: | Blocking: | ||
Branch state: | merged | Votes for changeset: | committed-master |
Description
Paul Hartman reported the following (minor) security flaw
into Gentoo's bugzilla:
When multiple files are selected and F3 / Enter key is pressed on some of the files, MC_EXT_SELECTED variable does not sanitize the whitespace characters properly (leading into situation when first file is used as the actual value of MC_EXT_SELECTED variable and the remaining files from the list are used as arguments passed to the temporary script, created to handle F3 / Enter action on the first file).
A remote attacker could provide a specially-crafted archive and trick the local Midnight Commander user into expanding and viewing it, which under certain circumstances could lead to arbitrary code execution with the privileges of the user running the mc executable.
Attachments
Change History
comment:2 Changed 12 years ago by iankko
- Keywords Security, CVE-2012-4463 added; Security removed
- Summary changed from mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly to CVE-2012-4463 mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly
The CVE identifier of CVE-2012-4463 has been assigned to this issue:
[3] http://www.openwall.com/lists/oss-security/2012/10/03/5
comment:6 Changed 12 years ago by slackmail
Hi all, no offence indended, but...
The provided fix in "https://bugs.gentoo.org/show_bug.cgi?id=436518" for this security related bug is NOT correct.
So in order to limit the damage resulting from "blindly" copying the above patch I attach a extended and really *working* fix for this issue.
A short explanation for all interested:
The original modification of "g_string_append_printf" builds a temporary shell script where every assignement made to environment variables except MC_EXT_FILENAME is quoted (MC_EXT_BASENAME, MC_EXT_CURRENTDIR, MC_EXT_SELECTED, MC_EXT_ONLYTAGGED).
This completely breaks every script using the variables MC_EXT_BASENAME and MC_EXT_CURRENTDIR because they are now double quoted.
My modification adds the logic needed to only quote the filename lists MC_EXT_SELECTED and MC_EXT_ONLYTAGGED.
Hope this helps anyone looking for a preliminary solution...
comment:7 Changed 12 years ago by slavazanko
- Status changed from new to accepted
- Owner set to slavazanko
- Branch state changed from no branch to on review
- Milestone changed from Future Releases to 4.8.7
Created branch 2913_sanitize
Review, please.
comment:9 Changed 12 years ago by angel_il
- Votes for changeset changed from andrew_b to andrew_b angel_il
- Branch state changed from on review to approved
comment:10 Changed 12 years ago by slavazanko
- Status changed from accepted to testing
- Votes for changeset changed from andrew_b angel_il to committed-master
- Resolution set to fixed
- Branch state changed from approved to merged
Merged to master:
git log --pretty=oneline bf475ce..a51df49
CVE request:
[1] http://www.openwall.com/lists/oss-security/2012/10/03/4
Red Hat Bugzilla entry:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=862813