On 19 Mar 2004 16:29:09 +0100, Dominik Vogt wrote:
>
> on 1-Jan-2004 You fixed a vulnerability in fvwm-menu-directory.in
> that allowed an attacker to execute commands with the rights of
> the fvwm user. I have backported it to 2.4.18, but I'm unsure if
> the other fvwm-menu* scripts are vulnerable too.
Only fvwm-menu-directory builds a menu from an arbitrary directory
listing. Others use different methods to obtains the content. Well, if
someone patches xlock -help output, or breaks into FreshMeat server, or
affects gnome's installation, then theoretically other scripts may be
problematic too. However it is easier just to patch fvwm and insert some
troyan. Additionally, these other scripts process one input line at any
time, and this line is escaped, so this multi-line problem can't appear.
> The fvwm_make_{browse,directory]_menu.sh scripts are definitely
> vulnerable too. As I don't know how to fix them, should they be
> removed?
These scripts are not installed, so they are less a problem. Also they
use "ls | sed" to obtain the listing and not readdir(2). It is possible
that there is some kind of shell escaping vulnerability, but not this
multi-line vulnerability. I think they simply produce incorrect menu
entries if a file name contains end of line char, that's ok.
P.S. Unfortunately my mouse is killed right now, so I am not very
workable to test what I said. My fvwm is very usable, but applications
are usually not designed to work well without mouse. The most missing
feature is copy-and-paste in terminal, needed for any sane work.
I managed to lock X when I tried to emulate mouse clicks using
Shift-NumLock keypad presses... Hopefully I will fix my mouse soon. :)
Regards,
Mikhael.
--
Visit the official FVWM web page at <URL:http://www.fvwm.org/>.
To unsubscribe from the list, send "unsubscribe fvwm-workers" in the
body of a message to [EMAIL PROTECTED]
To report problems, send mail to [EMAIL PROTECTED]
