[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: feh
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-06-28 20:12:58
Message-ID: 624298254.1378791277755978846.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-2246

Thanks.

-- 
    JB


----- "Daniel Friesel" <derf@chaosdorf.de> wrote:

> Hi,
> 
> there is an arbitrary code execution hole in feh versions <= 1.7 down
> to at
> least 1.3.4 (I didn't check earlier ones).
> When the user uses feh to open a remote file (URL) and uses the
> --wget-timestamp option, feh passe the unescaped URL to a system()
> call.
> 
> So if an attacker can trick the user into opening an image URL
> containing
> shell metacharacters with feh --wget-timestamp, he is able to execute
> arbitrary shell code with the rights of the user executing feh. This
> requires
> the URL to resolve to an existing file, however. Obfuscating the shell
> code
> with HTTP escapes (like %20) does not seem to work, and a redirect
> (via
> tinyurl or similar) to a malicious URL will also have no effect.
> 
> Example:
> remnant /t/feh > ls
> remnant /t/feh > feh --wget-timestamp
> 'https://derf.homelinux.org/stuff/bar`touch lol_hax`.jpg'
> /bin/cp: cannot stat `/tmp/feh_011422_bar.jpg': No such file or
> directory
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg does not
> exist - skipping
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg - File does
> not exist
> feh - No loadable images specified.
> Use feh --help for detailed usage information
> remnant /t/feh > ls
> lol_hax
> remnant /t/feh >
> 
> This has been fixed in feh 1.8:
> <https://derf.homelinux.org/projects/feh/changelog>
> 
> Please assign a CVE.
> 
> Thanks,
> Daniel
[prev in list] [next in list] [prev in thread] [next in thread]