Possible alternative approach: if the path contains any suspicious
characters, create a temporary symlink with a safe name, and pass that
symlink to eval instead.
I'm not sure it's a _better_ approach, but maybe worth considering.
(I stole the idea from run-mailcap(1).)
* Axel Beckert ,
The example viewer in the man page also uses eval:
#!/bin/dash
read -p "program to use: " pgm
eval $pgm "$1"
Please fix it too.
--
Jakub Wilk
* Axel Beckert , 2023-02-14 15:53:
the exploit code is always shown to the user before the exploit
actually runs
Sneakier exploits might be possible, though. For example, for dialog(1),
the backspace character can be used to hide stuff, e.g:
H=$(printf '\b')
dialog --title '' --menu ''
Control: retitle -1 debmany: CVE-2023-27635: shell injection
On Sun, Feb 19, 2023 at 05:47:20AM +0100, Axel Beckert wrote:
> Control: tag -1 + patch pending
>
> Hi Jakub,
>
> found time to analyse this closer.
>
> Axel Beckert wrote:
> > Given that the full path including the exploit code is
Control: tag -1 + patch pending
Hi Jakub,
found time to analyse this closer.
Axel Beckert wrote:
> Given that the full path including the exploit code is always shown to
> the user before the exploit actually runs, I consider the impact
> rather low:
>
> ┌┤ Select a
Control: tag -1 + confirmed
Hi Jakub,
thanks for the bug report.
Jakub Wilk wrote:
> debmany passes filenames from the .deb (which should be considered untrusted
> input) to eval.
>
> I've attached proof-of-concept exploit.
Thanks. Can reproduce it.
Given that the full path including the
* Jakub Wilk , 2023-02-14 10:53:
attached proof-of-concept exploit.
The code that generated the crafted .deb is here:
https://github.com/jwilk/crafted.deb/blob/master/gen-deb1031267-debmany
--
Jakub Wilk
7 matches
Mail list logo
