Bug#329667: mozilla-thunderbird --compose executes shell commands
merge 329664 329667 thanks On 05/09/22 17:27 +0200, Florian Weimer said ... Package: mozilla-thunderbird Version: 1.0.6-3 Severity: grave Tags: security The --compose option executes shell commands: mozilla-thunderbird --compose 'mailto:`df`' The df output appears in the To: line of the message. (This is related to the recently disclosed Firefox bug, which does not seem to affect Debian thanks to a different wrapper script.) -- Y Giridhar Appaji Nag | http://www.appaji.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 03:41:02PM +0530, Y Giridhar Appaji Nag wrote:
merge 329664 329667
thanks
On 05/09/22 17:27 +0200, Florian Weimer said ...
Package: mozilla-thunderbird
Version: 1.0.6-3
Severity: grave
Tags: security
The --compose option executes shell commands:
mozilla-thunderbird --compose 'mailto:`df`'
The df output appears in the To: line of the message.
(This is related to the recently disclosed Firefox bug, which does not
seem to affect Debian thanks to a different wrapper script.)
Attached a start script that should fix this issue ... I need
definitly feedback before I can push this to stable. Debians script is
heavily modified compared to upstreams version so I cannot take their
patch directly. Reverting our patches is no option either. Upstream script
really works only for some cases.
So, if please someone could confirm that all things they usually do
still work with the script attached *and* most importantly, that this bug
is gone, I would be happy to hear about it.
Improved patches welcome.
Thanks!
- Alexander
p.s. please take care that the bug is listed as To: or CC: when
replying to this mail (e.g. /reply-all/).
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack| : :' : The universal
[EMAIL PROTECTED] | `. `' Operating System
http://www.asoftsite.org | `-http://www.debian.org/
#!/bin/sh
#
# The contents of this file are subject to the Netscape Public License
# Version 1.0 (the NPL); you may not use this file except in
# compliance with the NPL. You may obtain a copy of the NPL at
# http://www.mozilla.org/NPL/
#
# Software distributed under the NPL is distributed on an AS IS basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL
# for the specific language governing rights and limitations under the
# NPL.
#
# The Initial Developer of this code under the NPL is Netscape
# Communications Corporation. Portions created by Netscape are
# Copyright (C) 1998 Netscape Communications Corporation. All Rights
# Reserved.
#
## $Id: mozilla.in,v 1.2.6.1 2004/07/24 23:58:06 bryner%brianryner.com Exp $
##
## Usage:
##
## $ mozilla [args]
##
## This script is meant to run the mozilla-bin binary from either
## mozilla/xpfe/bootstrap or mozilla/dist/bin.
##
## The script will setup all the environment voodoo needed to make
## the mozilla-bin binary to work.
##
moz_pis_startstop_scripts()
{
MOZ_USER_DIR=.mozilla-thunderbird
# MOZ_PIS_ is the name space for Mozilla Plugable Init Scripts
# These variables and there meaning are specified in
# mozilla/xpfe/bootstrap/init.d/README
MOZ_PIS_API=2
MOZ_PIS_MOZBINDIR=${dist_bin}
MOZ_PIS_SESSION_PID=$$
MOZ_PIS_USER_DIR=${MOZ_USER_DIR}
export MOZ_PIS_API MOZ_PIS_MOZBINDIR MOZ_PIS_SESSION_PID MOZ_PIS_USER_DIR
case ${1} in
start)
for curr_pis in ${dist_bin}/init.d/S*
${HOME}/${MOZ_USER_DIR}/init.d/S* ; do
if [ -x ${curr_pis} ] ; then
case ${curr_pis} in
*.sh) . ${curr_pis} ;;
*) ${curr_pis} start ;;
esac
fi
done
;;
stop)
for curr_pis in ${HOME}/${MOZ_USER_DIR}/init.d/K*
${dist_bin}/init.d/K* ; do
if [ -x ${curr_pis} ] ; then
case ${curr_pis} in
*.sh) . ${curr_pis};;
*) ${curr_pis} stop ;;
esac
fi
done
;;
*)
echo 12 $0: Internal error in moz_pis_startstop_scripts.
exit 1
;;
esac
}
#uncomment for debugging
#set -x
moz_libdir=/usr/lib/mozilla-thunderbird
MRE_HOME=/usr/lib/mre/mre
# Use run-mozilla.sh in the current dir if it exists
# If not, then start resolving symlinks until we find run-mozilla.sh
found=0
progname=$0
curdir=`dirname $progname`
progbase=`basename $progname`
run_moz=$curdir/run-mozilla.sh
if test -x $run_moz; then
dist_bin=$curdir
found=1
else
here=`/bin/pwd`
while [ -h $progname ]; do
bn=`basename $progname`
cd `dirname $progname`
progname=`/bin/ls -l $bn | sed -e 's/^.* - //' `
if [ ! -x $progname ]; then
break
fi
curdir=`dirname $progname`
run_moz=$curdir/run-mozilla.sh
if [ -x $run_moz ]; then
cd $curdir
dist_bin=`pwd`
found=1
break
fi
done
cd $here
fi
if [ $found = 0 ]; then
# Check default compile-time libdir
if [ -x $moz_libdir/run-mozilla.sh ]; then
dist_bin=$moz_libdir
run_moz=$moz_libdir/run-mozilla.sh
else
echo Cannot find mozilla runtime directory. Exiting.
exit 1
fi
fi
script_args=
moreargs=
debugging=0
MOZILLA_BIN=${progbase}-bin
# The following is to check for a currently running instance.
# This is taken almost verbatim from the Mozilla RPM package's launch script.
MOZ_CLIENT_PROGRAM=$dist_bin/mozilla-thunderbird-xremote-client
check_running() {
${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' 'ping()'
2/dev/null /dev/null
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Florian Weimer: * Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? Uhm, it's still exploitable anway. This time, the command is: mozilla-thunderbird --compose 'mailto:'\''`df`'\' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 03:49:12PM +0200, Florian Weimer wrote: * Florian Weimer: * Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? Uhm, it's still exploitable anway. This time, the command is: mozilla-thunderbird --compose 'mailto:'\''`df`'\' Bad ... so this is the wrong approach. You have an idea on how to fix the original script in a minimal way? - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack:
Uhm, it's still exploitable anway. This time, the command is:
mozilla-thunderbird --compose 'mailto:'\''`df`'\'
Bad ... so this is the wrong approach.
You have an idea on how to fix the original script in a minimal way?
A compromise between robustness and minimality is to use /bin/bash
instead of /bin/sh (which doesn't change anything for most people) and
real arrays instead of $@ (a bash-specific feature). The patch below
implements this.
By the way,
[EMAIL PROTECTED]$1
is actually an array append operation. [EMAIL PROTECTED] evaluates to
the current number of elements, and arrays are zero-based, so the
left-hand side of the assignment denotes an array element one past the
current last element. (Maybe this should be included as a comment in
the script; I'm not sure.) The declare -a directives are optional,
but I've included them to reflect the previous initializations.
I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine,
so more testing is needed.
--- mozilla-thunderbird 2005/09/23 14:17:28 1.1
+++ mozilla-thunderbird 2005/09/23 14:31:25
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#
# The contents of this file are subject to the Netscape Public License
# Version 1.0 (the NPL); you may not use this file except in
@@ -117,7 +117,7 @@
fi
script_args=
-moreargs=
+declare -a moreargs
debugging=0
MOZILLA_BIN=${progbase}-bin
@@ -220,9 +220,7 @@
shift 2
;;
*)
- # Protect quotes and $ in command-line arguments from two shell evals
- moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \
- -e 's/[$]/\\\$/g')\
+ [EMAIL PROTECTED]$1
shift 1
;;
esac
@@ -293,11 +291,10 @@
LOCALE_ARGS=-contentLocale $MOZLOCALE -UILocale $MOZLOCALE
if [ $ALREADY_RUNNING -eq 1 ]; then LOCK_FILE=lock; else LOCK_FILE=; fi
-MOZ_ARGS=
+declare -a MOZ_ARGS
donext=
-eval set -- $moreargs
-for opt_in in $@
+for opt_in in [EMAIL PROTECTED]
do
if [ -z $donext ]
then
@@ -321,11 +318,11 @@
next=compose
donext=true
else
- MOZ_ARGS=$MOZ_ARGS \$opt_in\
+ [EMAIL PROTECTED]$opt_in
donext=
fi
else
- MOZ_ARGS=$MOZ_ARGS \$opt_in\
+ [EMAIL PROTECTED]$opt_in
donext=
fi
else
@@ -334,9 +331,9 @@
then
# cut off protocol
mail_to=$(expr match $opt_in mailto:\(.*\))
- MOZ_ARGS=\mailto($mail_to)\
- eval set -- $MOZ_ARGS
- ${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' $@
+[EMAIL PROTECTED]mailto($mail_to)
+ ${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' \
+ [EMAIL PROTECTED]
exit $?
fi
donext=
@@ -349,16 +346,16 @@
fi
export MRE_HOME
-eval set -- $MOZ_ARGS
## Start addon scripts
moz_pis_startstop_scripts start
if [ $debugging = 1 ]
then
- echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN
$LOCALE_ARGS $@@
+ echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN
$LOCALE_ARGS [EMAIL PROTECTED]@
fi
-$dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS
$@
+$dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS \
+ [EMAIL PROTECTED]
exitcode=$?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
Thanks for the patch. If there is no other solution, I will use bash instead of sh. Do I need to add bash to the Depends explicitly? On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine, so more testing is needed. The branch should be entered if thunderbird is running and you pass -compose mailto:something explicitly (In contrast to just mailto:something) ... btw --compose is not a recognized option AFAIK. -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: - # Protect quotes and $ in command-line arguments from two shell evals - moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \ - -e 's/[$]/\\\$/g')\ + [EMAIL PROTECTED]$1 shift 1 You sure that all escaping and sedding is not needed anymore? - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: Thanks for the patch. If there is no other solution, I will use bash instead of sh. Do I need to add bash to the Depends explicitly? No, bash is marked essential, and you need not declare any dependencies on such packages. (Otherwise I would not have proposed this change.) On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine, so more testing is needed. The branch should be entered if thunderbird is running and you pass -compose mailto:something explicitly (In contrast to just mailto:something) Yes, seems to work AFAICT, especially if I use --compose. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: - # Protect quotes and $ in command-line arguments from two shell evals - moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \ - -e 's/[$]/\\\$/g')\ + [EMAIL PROTECTED]$1 shift 1 You sure that all escaping and sedding is not needed anymore? Quite sure, yes. The [EMAIL PROTECTED] construct prevents interpretation of shell metacharacters, just like $@ does. There is another command injection possiblity, via the -d option, but its argument appears to be trusted anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
Package: mozilla-thunderbird Version: 1.0.6-3 Severity: grave Tags: security The --compose option executes shell commands: mozilla-thunderbird --compose 'mailto:`df`' The df output appears in the To: line of the message. (This is related to the recently disclosed Firefox bug, which does not seem to affect Debian thanks to a different wrapper script.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
