Package: lsyncd
Version: 2.1.5-2
Severity: normal
Tags: patch security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. ---
In the default-direct.lua file in the "event.etype == 'Move'" branch
instead of using a direct fork/exec a shell in spawned. Its arguments
aren't quoted so one can inject additional parameters using whitespace
characters.
File paths passed to the lua script seem to be absolute, so at least
other branches doing direct exec but not using '--' are probably safe.
Examples can be tested after entering the source directory.
Example 1:
$ touch ' '
$ mv ' ' sthelse
Causes rm -rf on target (the whole directory)
Example 2:
$ touch -- ' -t tmp'
$ mv ' -t tmp' ' sthelse'
Moves the target directory and its contents to /tmp. lsyncd's cwd is /.
I attach a patch, possibly correct -- I don't know lua.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.16.0-4-amd64
Debian Release: 8.2
500 stable security.debian.org
500 stable ftp.pl.debian.org
50 testing security.debian.org
50 testing ftp.pl.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Marcin Szewczyk http://wodny.org
mailto:marcin.szewc...@wodny.borg <- remove b / usuĊ b
xmpp:wo...@ubuntu.pl xmpp:wo...@jabster.pl
--- default-direct-orig.lua 2013-06-03 13:48:29.000000000 +0200
+++ default-direct.lua 2015-10-07 23:33:30.211204331 +0200
@@ -109,13 +109,13 @@
error('Refusing to erase your harddisk!')
end
- local command = '/bin/mv $1 $2 || /bin/rm -rf $1'
+ local command = '/bin/mv "$1" "$2" || /bin/rm -rf "$1"'
if
config.delete ~= true and
config.delete ~= 'running'
then
- command = '/bin/mv $1 $2'
+ command = '/bin/mv "$1" "$2"'
end
spawnShell(
