Package: canto Version: 0.7.10-4 Severity: important Tags: security
Dear Maintainer, I have just found a command line injection security vuln in canto. The program fetches feeds from configured sites, and the feeds contain URLs that people may want to visit. If a user starts canto and chooses to go to one URL from one feed, canto constructs a sh command line to visit the URL, but it doesn't remove metachars. Therefore a malicious feed (owner turned bad, man in the middle attack if fetched with http) can put in bad data in all link and guid elements of the feed and use this to hack the user when they visit some of the URLs. Not good. See my conf.py and evil.rss files for an example. Sorry for my English! Regards, the_walrus_88 -- System Information: Debian Release: 7.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages canto depends on: ii libc6 2.13-38 ii libncursesw5 5.9-10 ii libtinfo5 5.9-10 ii python 2.7.3-4+deb7u1 ii python-chardet 2.0.1-2 ii python-feedparser 5.1.2-1 ii python2.7 2.7.3-6 canto recommends no packages. canto suggests no packages. -- no debconf information ------------------------------------------------- VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!$24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
evil.rss
Description: application/rss
add("http://localhost/evil.rss") link_handler("elinks \"%u\"", text=True)