Bug#329667: mozilla-thunderbird --compose executes shell commands
merge 329664 329667 thanks On 05/09/22 17:27 +0200, Florian Weimer said ... Package: mozilla-thunderbird Version: 1.0.6-3 Severity: grave Tags: security The --compose option executes shell commands: mozilla-thunderbird --compose 'mailto:`df`' The df output appears in the To: line of the message. (This is related to the recently disclosed Firefox bug, which does not seem to affect Debian thanks to a different wrapper script.) -- Y Giridhar Appaji Nag | http://www.appaji.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 03:41:02PM +0530, Y Giridhar Appaji Nag wrote: merge 329664 329667 thanks On 05/09/22 17:27 +0200, Florian Weimer said ... Package: mozilla-thunderbird Version: 1.0.6-3 Severity: grave Tags: security The --compose option executes shell commands: mozilla-thunderbird --compose 'mailto:`df`' The df output appears in the To: line of the message. (This is related to the recently disclosed Firefox bug, which does not seem to affect Debian thanks to a different wrapper script.) Attached a start script that should fix this issue ... I need definitly feedback before I can push this to stable. Debians script is heavily modified compared to upstreams version so I cannot take their patch directly. Reverting our patches is no option either. Upstream script really works only for some cases. So, if please someone could confirm that all things they usually do still work with the script attached *and* most importantly, that this bug is gone, I would be happy to hear about it. Improved patches welcome. Thanks! - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ #!/bin/sh # # The contents of this file are subject to the Netscape Public License # Version 1.0 (the NPL); you may not use this file except in # compliance with the NPL. You may obtain a copy of the NPL at # http://www.mozilla.org/NPL/ # # Software distributed under the NPL is distributed on an AS IS basis, # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL # for the specific language governing rights and limitations under the # NPL. # # The Initial Developer of this code under the NPL is Netscape # Communications Corporation. Portions created by Netscape are # Copyright (C) 1998 Netscape Communications Corporation. All Rights # Reserved. # ## $Id: mozilla.in,v 1.2.6.1 2004/07/24 23:58:06 bryner%brianryner.com Exp $ ## ## Usage: ## ## $ mozilla [args] ## ## This script is meant to run the mozilla-bin binary from either ## mozilla/xpfe/bootstrap or mozilla/dist/bin. ## ## The script will setup all the environment voodoo needed to make ## the mozilla-bin binary to work. ## moz_pis_startstop_scripts() { MOZ_USER_DIR=.mozilla-thunderbird # MOZ_PIS_ is the name space for Mozilla Plugable Init Scripts # These variables and there meaning are specified in # mozilla/xpfe/bootstrap/init.d/README MOZ_PIS_API=2 MOZ_PIS_MOZBINDIR=${dist_bin} MOZ_PIS_SESSION_PID=$$ MOZ_PIS_USER_DIR=${MOZ_USER_DIR} export MOZ_PIS_API MOZ_PIS_MOZBINDIR MOZ_PIS_SESSION_PID MOZ_PIS_USER_DIR case ${1} in start) for curr_pis in ${dist_bin}/init.d/S* ${HOME}/${MOZ_USER_DIR}/init.d/S* ; do if [ -x ${curr_pis} ] ; then case ${curr_pis} in *.sh) . ${curr_pis} ;; *) ${curr_pis} start ;; esac fi done ;; stop) for curr_pis in ${HOME}/${MOZ_USER_DIR}/init.d/K* ${dist_bin}/init.d/K* ; do if [ -x ${curr_pis} ] ; then case ${curr_pis} in *.sh) . ${curr_pis};; *) ${curr_pis} stop ;; esac fi done ;; *) echo 12 $0: Internal error in moz_pis_startstop_scripts. exit 1 ;; esac } #uncomment for debugging #set -x moz_libdir=/usr/lib/mozilla-thunderbird MRE_HOME=/usr/lib/mre/mre # Use run-mozilla.sh in the current dir if it exists # If not, then start resolving symlinks until we find run-mozilla.sh found=0 progname=$0 curdir=`dirname $progname` progbase=`basename $progname` run_moz=$curdir/run-mozilla.sh if test -x $run_moz; then dist_bin=$curdir found=1 else here=`/bin/pwd` while [ -h $progname ]; do bn=`basename $progname` cd `dirname $progname` progname=`/bin/ls -l $bn | sed -e 's/^.* - //' ` if [ ! -x $progname ]; then break fi curdir=`dirname $progname` run_moz=$curdir/run-mozilla.sh if [ -x $run_moz ]; then cd $curdir dist_bin=`pwd` found=1 break fi done cd $here fi if [ $found = 0 ]; then # Check default compile-time libdir if [ -x $moz_libdir/run-mozilla.sh ]; then dist_bin=$moz_libdir run_moz=$moz_libdir/run-mozilla.sh else echo Cannot find mozilla runtime directory. Exiting. exit 1 fi fi script_args= moreargs= debugging=0 MOZILLA_BIN=${progbase}-bin # The following is to check for a currently running instance. # This is taken almost verbatim from the Mozilla RPM package's launch script. MOZ_CLIENT_PROGRAM=$dist_bin/mozilla-thunderbird-xremote-client check_running() { ${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' 'ping()' 2/dev/null /dev/null
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Florian Weimer: * Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? Uhm, it's still exploitable anway. This time, the command is: mozilla-thunderbird --compose 'mailto:'\''`df`'\' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 03:49:12PM +0200, Florian Weimer wrote: * Florian Weimer: * Alexander Sack: Attached a start script that should fix this issue ... echo moreargs $moreargs This seems to be some debugging cruft. Have you sent the correct version? Uhm, it's still exploitable anway. This time, the command is: mozilla-thunderbird --compose 'mailto:'\''`df`'\' Bad ... so this is the wrong approach. You have an idea on how to fix the original script in a minimal way? - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: Uhm, it's still exploitable anway. This time, the command is: mozilla-thunderbird --compose 'mailto:'\''`df`'\' Bad ... so this is the wrong approach. You have an idea on how to fix the original script in a minimal way? A compromise between robustness and minimality is to use /bin/bash instead of /bin/sh (which doesn't change anything for most people) and real arrays instead of $@ (a bash-specific feature). The patch below implements this. By the way, [EMAIL PROTECTED]$1 is actually an array append operation. [EMAIL PROTECTED] evaluates to the current number of elements, and arrays are zero-based, so the left-hand side of the assignment denotes an array element one past the current last element. (Maybe this should be included as a comment in the script; I'm not sure.) The declare -a directives are optional, but I've included them to reflect the previous initializations. I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine, so more testing is needed. --- mozilla-thunderbird 2005/09/23 14:17:28 1.1 +++ mozilla-thunderbird 2005/09/23 14:31:25 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # The contents of this file are subject to the Netscape Public License # Version 1.0 (the NPL); you may not use this file except in @@ -117,7 +117,7 @@ fi script_args= -moreargs= +declare -a moreargs debugging=0 MOZILLA_BIN=${progbase}-bin @@ -220,9 +220,7 @@ shift 2 ;; *) - # Protect quotes and $ in command-line arguments from two shell evals - moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \ - -e 's/[$]/\\\$/g')\ + [EMAIL PROTECTED]$1 shift 1 ;; esac @@ -293,11 +291,10 @@ LOCALE_ARGS=-contentLocale $MOZLOCALE -UILocale $MOZLOCALE if [ $ALREADY_RUNNING -eq 1 ]; then LOCK_FILE=lock; else LOCK_FILE=; fi -MOZ_ARGS= +declare -a MOZ_ARGS donext= -eval set -- $moreargs -for opt_in in $@ +for opt_in in [EMAIL PROTECTED] do if [ -z $donext ] then @@ -321,11 +318,11 @@ next=compose donext=true else - MOZ_ARGS=$MOZ_ARGS \$opt_in\ + [EMAIL PROTECTED]$opt_in donext= fi else - MOZ_ARGS=$MOZ_ARGS \$opt_in\ + [EMAIL PROTECTED]$opt_in donext= fi else @@ -334,9 +331,9 @@ then # cut off protocol mail_to=$(expr match $opt_in mailto:\(.*\)) - MOZ_ARGS=\mailto($mail_to)\ - eval set -- $MOZ_ARGS - ${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' $@ +[EMAIL PROTECTED]mailto($mail_to) + ${run_moz} $MOZ_CLIENT_PROGRAM -a 'mozilla-thunderbird' \ + [EMAIL PROTECTED] exit $? fi donext= @@ -349,16 +346,16 @@ fi export MRE_HOME -eval set -- $MOZ_ARGS ## Start addon scripts moz_pis_startstop_scripts start if [ $debugging = 1 ] then - echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS $@@ + echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS [EMAIL PROTECTED]@ fi -$dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS $@ +$dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS \ + [EMAIL PROTECTED] exitcode=$? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
Thanks for the patch. If there is no other solution, I will use bash instead of sh. Do I need to add bash to the Depends explicitly? On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine, so more testing is needed. The branch should be entered if thunderbird is running and you pass -compose mailto:something explicitly (In contrast to just mailto:something) ... btw --compose is not a recognized option AFAIK. -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: - # Protect quotes and $ in command-line arguments from two shell evals - moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \ - -e 's/[$]/\\\$/g')\ + [EMAIL PROTECTED]$1 shift 1 You sure that all escaping and sedding is not needed anymore? - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: Thanks for the patch. If there is no other solution, I will use bash instead of sh. Do I need to add bash to the Depends explicitly? No, bash is marked essential, and you need not declare any dependencies on such packages. (Otherwise I would not have proposed this change.) On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: I can't get the @@ -334,9 +331,9 @@ hunk to execute on my machine, so more testing is needed. The branch should be entered if thunderbird is running and you pass -compose mailto:something explicitly (In contrast to just mailto:something) Yes, seems to work AFAICT, especially if I use --compose. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
* Alexander Sack: On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: - # Protect quotes and $ in command-line arguments from two shell evals - moreargs=$moreargs \$(echo $1 | sed -e 's//\\\/g' \ - -e 's/[$]/\\\$/g')\ + [EMAIL PROTECTED]$1 shift 1 You sure that all escaping and sedding is not needed anymore? Quite sure, yes. The [EMAIL PROTECTED] construct prevents interpretation of shell metacharacters, just like $@ does. There is another command injection possiblity, via the -d option, but its argument appears to be trusted anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329667: mozilla-thunderbird --compose executes shell commands
Package: mozilla-thunderbird Version: 1.0.6-3 Severity: grave Tags: security The --compose option executes shell commands: mozilla-thunderbird --compose 'mailto:`df`' The df output appears in the To: line of the message. (This is related to the recently disclosed Firefox bug, which does not seem to affect Debian thanks to a different wrapper script.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]