[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Command Injection in mime-support/run-mailcap (CVE-2014-7209)
From: "Timothy D. Morgan" <tim.advisories () blindspotsecurity ! com>
Date: 2014-12-31 17:38:49
Message-ID: 54A434A9.3000907 () blindspotsecurity ! com
[Download RAW message or body]
Hello,
I discovered a shell injection vulnerability in the run-mailcap script of the
mime-support package. This vulnerability is exploitable in a variety of very
specific scenarios when an attacker can convince a victim to open a file with a
malicious file name using the run-mailcap script. Only a handful of software
packages (such as email clients) are likely to call run-mailcap directly, but it can
also be called by xdg-open, which is much more widely used. However, in the xdg-open
case, the victim must not be using one of the popular desktop environments in order
for the issue to be triggered. In the xdg-open case, it was possible to execute
arbitrary code using Google Chrome/Chromium file downloads as a vector. (Yes, this
is a separate issue from the xdg-open shell injection vulnerability that was reported
not long ago.)
It seems that mime-support is primarily used by Debian-based Linux distributions,
though FreeBSD does have a port for it. I'm not sure what other distros may make it
available. Debian has released a security update (DSA-3114-1) for the issue. I am
also attaching patches which correct the flaw in the previous version.
Thanks to Salvatore Bonaccorso and Charles Plessy for developing the patches.
tim
["0001-CVE-2014-7209-Fix-shell-command-injection.patch" (text/x-patch)]
From da75c215e01e1b3be7498bef78f1f64d1e8c0693 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Dec 2014 22:25:30 +0100
Subject: [PATCH 1/2] CVE-2014-7209: Fix shell command injection
---
run-mailcap | 37 ++++++++++++++++++-------------------
1 file changed, 18 insertions(+), 19 deletions(-)
diff --git a/run-mailcap b/run-mailcap
index c5bfa5c..dd98178 100755
--- a/run-mailcap
+++ b/run-mailcap
@@ -474,27 +474,26 @@ foreach (@files) {
}
if ($file ne "-") {
- if ($comm =~ m/[^%]%s/) {
- if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
- $match =~ m/nametemplate=(.*?)\s*($|;)/;
- my $prefix = $1;
- my $linked = 0;
- while (!$linked) {
- $tmplink = TempFile($prefix);
- unlink($tmplink);
- if ($file =~ m!^/!) {
- $linked = symlink($file,$tmplink);
- } else {
- my $pwd = `/bin/pwd`;
- chomp($pwd);
- $linked = symlink("$pwd/$file",$tmplink);
- }
+ if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
+ $match =~ m/nametemplate=(.*?)\s*($|;)/;
+ my $prefix = $1;
+ my $linked = 0;
+ while (!$linked) {
+ $tmplink = TempFile($prefix);
+ unlink($tmplink);
+ if ($file =~ m!^/!) {
+ $linked = symlink($file,$tmplink);
+ } else {
+ my $pwd = `/bin/pwd`;
+ chomp($pwd);
+ $linked = symlink("$pwd/$file",$tmplink);
}
- print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
- $comm =~ s/([^%])%s/$1$tmplink/g;
- } else {
- $comm =~ s/([^%])%s/$1$file/g;
}
+ $file = $tmplink;
+ print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
+ }
+ if ($comm =~ m/[^%]%s/) {
+ $comm =~ s/([^%])%s/$1$file/g;
} else {
if ($comm =~ m/\|/) {
$comm =~ s/\|/<\Q$file\E \|/;
--
2.1.3
["0002-Resolve-file-name-to-an-absolute-path.patch" (text/x-patch)]
From 6cd7488322c61fbd3aca00a4f9be8ade6c9b8f64 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Dec 2014 22:27:00 +0100
Subject: [PATCH 2/2] Resolve file name to an absolute path
---
run-mailcap | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/run-mailcap b/run-mailcap
index dd98178..5443bec 100755
--- a/run-mailcap
+++ b/run-mailcap
@@ -9,6 +9,7 @@
#
###############################################################################
+use File::Spec;
$debug=($ENV{RUN_MAILCAP_DEBUG} || 0);
$norun=0;
@@ -474,6 +475,8 @@ foreach (@files) {
}
if ($file ne "-") {
+ # Resolve file name to an absolute path
+ $file = File::Spec->rel2abs($file);
if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
$match =~ m/nametemplate=(.*?)\s*($|;)/;
my $prefix = $1;
@@ -481,13 +484,7 @@ foreach (@files) {
while (!$linked) {
$tmplink = TempFile($prefix);
unlink($tmplink);
- if ($file =~ m!^/!) {
- $linked = symlink($file,$tmplink);
- } else {
- my $pwd = `/bin/pwd`;
- chomp($pwd);
- $linked = symlink("$pwd/$file",$tmplink);
- }
+ $linked = symlink($file,$tmplink);
}
$file = $tmplink;
print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
--
2.1.3
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic