Package: lsyncd Version: 2.1.5-2 Severity: normal Tags: patch security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. --- In the default-direct.lua file in the "event.etype == 'Move'" branch instead of using a direct fork/exec a shell in spawned. Its arguments aren't quoted so one can inject additional parameters using whitespace characters. File paths passed to the lua script seem to be absolute, so at least other branches doing direct exec but not using '--' are probably safe. Examples can be tested after entering the source directory. Example 1: $ touch ' ' $ mv ' ' sthelse Causes rm -rf on target (the whole directory) Example 2: $ touch -- ' -t tmp' $ mv ' -t tmp' ' sthelse' Moves the target directory and its contents to /tmp. lsyncd's cwd is /. I attach a patch, possibly correct -- I don't know lua. --- System information. --- Architecture: amd64 Kernel: Linux 3.16.0-4-amd64 Debian Release: 8.2 500 stable security.debian.org 500 stable ftp.pl.debian.org 50 testing security.debian.org 50 testing ftp.pl.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. -- Marcin Szewczyk http://wodny.org mailto:marcin.szewc...@wodny.borg <- remove b / usuĊ b xmpp:wo...@ubuntu.pl xmpp:wo...@jabster.pl
--- default-direct-orig.lua 2013-06-03 13:48:29.000000000 +0200 +++ default-direct.lua 2015-10-07 23:33:30.211204331 +0200 @@ -109,13 +109,13 @@ error('Refusing to erase your harddisk!') end - local command = '/bin/mv $1 $2 || /bin/rm -rf $1' + local command = '/bin/mv "$1" "$2" || /bin/rm -rf "$1"' if config.delete ~= true and config.delete ~= 'running' then - command = '/bin/mv $1 $2' + command = '/bin/mv "$1" "$2"' end spawnShell(