Bug#417789: marked as done (elinks: elinks uses untrusted gettext catalog)

Sat, 28 Apr 2007 17:41:04 -0700 

Your message dated Sun, 29 Apr 2007 00:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#417789: fixed in elinks 0.11.1-1.4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: elinks
Version: 0.11.1-1.2
Severity: grave
Tags: security, patch

Hi,

Elinks loads untrusted gettext catalog from the relative directory
"../po/", and crashes (SIGSEGV) if the loaded file is corrupted.  You
can check by yourself with with the following commands:

$ mkdir -p /tmp/elinks/{run,po}
$ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo
$ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200
$ cd /tmp/elinks/run

$ LANG=fr_FR strace -eopen -otrace elinks
[...]
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
open("/usr/share/locale/locale.alias", O_RDONLY|O_LARGEFILE) = 3
open("../po/fr_FR.gmo", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or 
directory)
open("/usr/share/locale/fr_FR/LC_MESSAGES/messages.mo", O_RDONLY|O_LARGEFILE) = 
-1 ENOENT (No such file or directory)
open("../po/fr.gmo", O_RDONLY|O_LARGEFILE) = 3
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Process 29917 detached

A gdb backtrace is included at the end of the message.

I tagged this bug as grave+security because it can be used to make
elinks load any corrupted file, and possibly execute arbitrary code.

Imagine an evil user placing some specially crafted files in
"/tmp/po/".  Then, another user (root for example) runs elinks from a
directory "/tmp/foo/", and thus loads the bad file(s).

A quick grep for '\.\./po' in the elinks sources gives the culprit
function : add_filename_to_string() around line 216 of file
"elinks-0.11.1/src/intl/gettext/loadmsgcat.c".

IMHO, changing this function to return NULL unconditionally should fix
the problem (I did not want to download all the build dependencies to
verify).

Regards,

        Arnaud Giersch


$ gdb -q /usr/bin/elinks -c core
(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libgnutls.so.13...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libgnutls.so.13
Reading symbols from /usr/lib/liblua50.so.5.0...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/liblua50.so.5.0
Reading symbols from /usr/lib/liblualib50.so.5.0...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/liblualib50.so.5.0
Reading symbols from /lib/tls/i686/cmov/libm.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libperl.so.5.8...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libperl.so.5.8
Reading symbols from /lib/tls/i686/cmov/libdl.so.2...(no debugging symbols 
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libdl.so.2
Reading symbols from /lib/tls/i686/cmov/libpthread.so.0...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0
Reading symbols from /lib/tls/i686/cmov/libc.so.6...(no debugging symbols 
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /usr/lib/libgpm.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgpm.so.1
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libbz2.so.1.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libbz2.so.1.0
Reading symbols from /usr/lib/libexpat.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libexpat.so.1
Reading symbols from /usr/lib/libgnutls-openssl.so.13...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libgnutls-openssl.so.13
Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/libgcrypt.so.11...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgcrypt.so.11
Reading symbols from /usr/lib/libgpg-error.so.0...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libgpg-error.so.0
Reading symbols from /lib/ld-linux.so.2...Reading symbols from 
/usr/lib/debug/lib/ld-2.3.6.so...(no debugging symbols found)...done.

(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
(no debugging symbols found)
Core was generated by `elinks'.
Program terminated with signal 11, Segmentation fault.
#0  0x0809da6c in _nl_find_msg ()
(gdb)  where
#0  0x0809da6c in _nl_find_msg ()
#1  0x0809f4fe in _nl_init_domain_conv ()
#2  0x0809fc28 in _nl_load_domain ()
#3  0x0809e896 in _nl_find_domain ()
#4  0x0809de99 in dcigettext__ ()
#5  0x0809d4c1 in dcgettext__ ()
#6  0x0809e8c2 in gettext__ ()
#7  0x080a356e in get_dyn_full_version ()
#8  0x080a36c9 in init_static_version ()
#9  0x080a1e8c in init_interlink ()
#10 0x080a2be0 in select_loop ()
#11 0x080a2444 in main ()
(gdb) 

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages elinks depends on:
ii  debconf                     1.5.11       Debian configuration management sy
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libexpat1                   1.95.8-3.4   XML parsing C library - runtime li
ii  libgnutls13                 1.4.4-3      the GNU TLS library - runtime libr
ii  libgpmg1                    1.19.6-25    General Purpose Mouse - shared lib
ii  liblua50                    5.0.3-2      Main interpreter library for the L
ii  liblualib50                 5.0.3-2      Extension library for the Lua 5.0 
ii  libperl5.8                  5.8.8-7      Shared Perl library
ii  zlib1g                      1:1.2.3-13   compression library - runtime

elinks recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: elinks
Source-Version: 0.11.1-1.4

We believe that the bug you reported is fixed in the latest version of
elinks, which is due to be installed in the Debian FTP archive:

elinks-lite_0.11.1-1.4_i386.deb
  to pool/main/e/elinks/elinks-lite_0.11.1-1.4_i386.deb
elinks_0.11.1-1.4.diff.gz
  to pool/main/e/elinks/elinks_0.11.1-1.4.diff.gz
elinks_0.11.1-1.4.dsc
  to pool/main/e/elinks/elinks_0.11.1-1.4.dsc
elinks_0.11.1-1.4_i386.deb
  to pool/main/e/elinks/elinks_0.11.1-1.4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <[EMAIL PROTECTED]> (supplier of updated elinks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 29 Apr 2007 00:18:54 +0200
Source: elinks
Binary: elinks-lite elinks
Architecture: source i386
Version: 0.11.1-1.4
Distribution: unstable
Urgency: high
Maintainer: Peter Gervai <[EMAIL PROTECTED]>
Changed-By: Julien Cristau <[EMAIL PROTECTED]>
Description: 
 elinks     - advanced text-mode WWW browser
 elinks-lite - advanced text-mode WWW browser (lite version)
Closes: 417789
Changes: 
 elinks (0.11.1-1.4) unstable; urgency=high
 .
   * Non-maintainer security upload.
   * Don't look for gettext message catalogs in ../po/ (closes: #417789).
     Thanks, Arnaud Giersch! Reference: CVE-2007-2027.
Files: 
 4040eff6942613684fb9517b5b6181c9 768 web optional elinks_0.11.1-1.4.dsc
 1333d86643a26ab29db3c615d24cab00 28360 web optional elinks_0.11.1-1.4.diff.gz
 432881cc9046e4c30fdf9a3241cb7e36 1179828 web optional 
elinks_0.11.1-1.4_i386.deb
 32bc2e8aa8fc1796f0f2110594fd337e 417316 web optional 
elinks-lite_0.11.1-1.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGM+TJmEvTgKxfcAwRAiO+AJ95A8Rb/DZ7VolotfkkHnW/jKmF+ACeObor
ioiZVHy4f2I1Xs3g7Pkj9Cc=
=n8y+
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to