'[oss-security] Command Injection in mime-support/run-mailcap (CVE-2014-7209)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Command Injection in mime-support/run-mailcap (CVE-2014-7209)
From:       "Timothy D. Morgan" <tim.advisories () blindspotsecurity ! com>
Date:       2014-12-31 17:38:49
Message-ID: 54A434A9.3000907 () blindspotsecurity ! com
[Download RAW message or body]

Hello,

I discovered a shell injection vulnerability in the run-mailcap script of the
mime-support package.  This vulnerability is exploitable in a variety of very
specific scenarios when an attacker can convince a victim to open a file with a
malicious file name using the run-mailcap script.  Only a handful of software
packages (such as email clients) are likely to call run-mailcap directly, but it can
also be called by xdg-open, which is much more widely used.  However, in the xdg-open
case, the victim must not be using one of the popular desktop environments in order
for the issue to be triggered.  In the xdg-open case, it was possible to execute
arbitrary code using Google Chrome/Chromium file downloads as a vector.  (Yes, this
is a separate issue from the xdg-open shell injection vulnerability that was reported
not long ago.)

It seems that mime-support is primarily used by Debian-based Linux distributions,
though FreeBSD does have a port for it.  I'm not sure what other distros may make it
available.  Debian has released a security update (DSA-3114-1) for the issue.  I am
also attaching patches which correct the flaw in the previous version.

Thanks to Salvatore Bonaccorso and Charles Plessy for developing the patches.

tim

["0001-CVE-2014-7209-Fix-shell-command-injection.patch" (text/x-patch)]

From da75c215e01e1b3be7498bef78f1f64d1e8c0693 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Dec 2014 22:25:30 +0100
Subject: [PATCH 1/2] CVE-2014-7209: Fix shell command injection

---
 run-mailcap | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/run-mailcap b/run-mailcap
index c5bfa5c..dd98178 100755
--- a/run-mailcap
+++ b/run-mailcap
@@ -474,27 +474,26 @@ foreach (@files) {
         }
 
         if ($file ne "-") {
-            if ($comm =~ m/[^%]%s/) {
-                if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
-                    $match =~ m/nametemplate=(.*?)\s*($|;)/;
-                    my $prefix = $1;
-                    my $linked = 0;
-                    while (!$linked) {
-                        $tmplink = TempFile($prefix);
-                        unlink($tmplink);
-                        if ($file =~ m!^/!) {
-                            $linked = symlink($file,$tmplink);
-                        } else {
-                            my $pwd = `/bin/pwd`;
-                            chomp($pwd);
-                            $linked = symlink("$pwd/$file",$tmplink);
-                        }
+            if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
+                $match =~ m/nametemplate=(.*?)\s*($|;)/;
+                my $prefix = $1;
+                my $linked = 0;
+                while (!$linked) {
+                    $tmplink = TempFile($prefix);
+                    unlink($tmplink);
+                    if ($file =~ m!^/!) {
+                        $linked = symlink($file,$tmplink);
+                    } else {
+                        my $pwd = `/bin/pwd`;
+                        chomp($pwd);
+                        $linked = symlink("$pwd/$file",$tmplink);
                     }
-                    print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
-                    $comm =~ s/([^%])%s/$1$tmplink/g;
-                } else {
-                    $comm =~ s/([^%])%s/$1$file/g;
                 }
+                $file = $tmplink;
+                print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
+            }
+            if ($comm =~ m/[^%]%s/) {
+                   $comm =~ s/([^%])%s/$1$file/g;
             } else {
                 if ($comm =~ m/\|/) {
                     $comm =~ s/\|/<\Q$file\E \|/;
-- 
2.1.3


["0002-Resolve-file-name-to-an-absolute-path.patch" (text/x-patch)]

From 6cd7488322c61fbd3aca00a4f9be8ade6c9b8f64 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Dec 2014 22:27:00 +0100
Subject: [PATCH 2/2] Resolve file name to an absolute path

---
 run-mailcap | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/run-mailcap b/run-mailcap
index dd98178..5443bec 100755
--- a/run-mailcap
+++ b/run-mailcap
@@ -9,6 +9,7 @@
 #
 ###############################################################################
 
+use File::Spec;
 
 $debug=($ENV{RUN_MAILCAP_DEBUG} || 0);
 $norun=0;
@@ -474,6 +475,8 @@ foreach (@files) {
         }
 
         if ($file ne "-") {
+            # Resolve file name to an absolute path
+            $file = File::Spec->rel2abs($file);
             if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
                 $match =~ m/nametemplate=(.*?)\s*($|;)/;
                 my $prefix = $1;
@@ -481,13 +484,7 @@ foreach (@files) {
                 while (!$linked) {
                     $tmplink = TempFile($prefix);
                     unlink($tmplink);
-                    if ($file =~ m!^/!) {
-                        $linked = symlink($file,$tmplink);
-                    } else {
-                        my $pwd = `/bin/pwd`;
-                        chomp($pwd);
-                        $linked = symlink("$pwd/$file",$tmplink);
-                    }
+                    $linked = symlink($file,$tmplink);
                 }
                 $file = $tmplink;
                 print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
-- 
2.1.3



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic