Package: elinks Version: 0.11.1-1.2 Severity: grave Tags: security, patch Hi,
Elinks loads untrusted gettext catalog from the relative directory "../po/", and crashes (SIGSEGV) if the loaded file is corrupted. You can check by yourself with with the following commands: $ mkdir -p /tmp/elinks/{run,po} $ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo $ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200 $ cd /tmp/elinks/run $ LANG=fr_FR strace -eopen -otrace elinks [...] open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 open("/usr/share/locale/locale.alias", O_RDONLY|O_LARGEFILE) = 3 open("../po/fr_FR.gmo", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/share/locale/fr_FR/LC_MESSAGES/messages.mo", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("../po/fr.gmo", O_RDONLY|O_LARGEFILE) = 3 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV (core dumped) +++ Process 29917 detached A gdb backtrace is included at the end of the message. I tagged this bug as grave+security because it can be used to make elinks load any corrupted file, and possibly execute arbitrary code. Imagine an evil user placing some specially crafted files in "/tmp/po/". Then, another user (root for example) runs elinks from a directory "/tmp/foo/", and thus loads the bad file(s). A quick grep for '\.\./po' in the elinks sources gives the culprit function : add_filename_to_string() around line 216 of file "elinks-0.11.1/src/intl/gettext/loadmsgcat.c". IMHO, changing this function to return NULL unconditionally should fix the problem (I did not want to download all the build dependencies to verify). Regards, Arnaud Giersch $ gdb -q /usr/bin/elinks -c core (no debugging symbols found) Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". warning: Can't read pathname for load map: Input/output error. Reading symbols from /usr/lib/libgnutls.so.13...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgnutls.so.13 Reading symbols from /usr/lib/liblua50.so.5.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/liblua50.so.5.0 Reading symbols from /usr/lib/liblualib50.so.5.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/liblualib50.so.5.0 Reading symbols from /lib/tls/i686/cmov/libm.so.6... (no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libm.so.6 Reading symbols from /usr/lib/libperl.so.5.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libperl.so.5.8 Reading symbols from /lib/tls/i686/cmov/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libdl.so.2 Reading symbols from /lib/tls/i686/cmov/libpthread.so.0... (no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0 Reading symbols from /lib/tls/i686/cmov/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libc.so.6 Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1 Reading symbols from /usr/lib/libgpm.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libgpm.so.1 Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/libbz2.so.1.0...(no debugging symbols found)...done. Loaded symbols for /lib/libbz2.so.1.0 Reading symbols from /usr/lib/libexpat.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libexpat.so.1 Reading symbols from /usr/lib/libgnutls-openssl.so.13...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgnutls-openssl.so.13 Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libtasn1.so.3 Reading symbols from /usr/lib/libgcrypt.so.11... (no debugging symbols found)...done. Loaded symbols for /usr/lib/libgcrypt.so.11 Reading symbols from /usr/lib/libgpg-error.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgpg-error.so.0 Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1 (no debugging symbols found) Core was generated by `elinks'. Program terminated with signal 11, Segmentation fault. #0 0x0809da6c in _nl_find_msg () (gdb) where #0 0x0809da6c in _nl_find_msg () #1 0x0809f4fe in _nl_init_domain_conv () #2 0x0809fc28 in _nl_load_domain () #3 0x0809e896 in _nl_find_domain () #4 0x0809de99 in dcigettext__ () #5 0x0809d4c1 in dcgettext__ () #6 0x0809e8c2 in gettext__ () #7 0x080a356e in get_dyn_full_version () #8 0x080a36c9 in init_static_version () #9 0x080a1e8c in init_interlink () #10 0x080a2be0 in select_loop () #11 0x080a2444 in main () (gdb) -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable'), (40, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages elinks depends on: ii debconf 1.5.11 Debian configuration management sy ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libexpat1 1.95.8-3.4 XML parsing C library - runtime li ii libgnutls13 1.4.4-3 the GNU TLS library - runtime libr ii libgpmg1 1.19.6-25 General Purpose Mouse - shared lib ii liblua50 5.0.3-2 Main interpreter library for the L ii liblualib50 5.0.3-2 Extension library for the Lua 5.0 ii libperl5.8 5.8.8-7 Shared Perl library ii zlib1g 1:1.2.3-13 compression library - runtime elinks recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]