Bug#404233: CVE-2006-6678: Netrik arbitrary command execution

2006-12-22 Thread Stefan Fritsch 
Package: netrik
Severity: grave
Tags: security
Justification: user security hole

A vulnerability has been reported in Netrik:

The edit_textarea function in form-file.c in Netrik 1.15.4 and earlier
does not properly verify temporary filenames when editing textarea
fields, which allows attackers to execute arbitrary commands via shell
metacharacters in the filename.

This is fixed in 1.15.5

Please mention the CVE id in the changelog.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404233: CVE-2006-6678: Netrik arbitrary command execution

2006-12-22 Thread Steve Kemp 
On Fri, Dec 22, 2006 at 06:42:41PM +0100, Stefan Fritsch wrote:

> A vulnerability has been reported in Netrik:

  Thanks for the report.  Security update for Sarge is building now.

  Patch attached:

Steve
-- 

--- form-file.c 2003-08-06 10:28:45.0 +
+++ /home/skx/form-file.c   2006-12-22 22:19:12.0 +
@@ -10,6 +10,7 @@
  * (C) 2003 antrik
  */

+#include 
 #include 
 #include 
 #include 
@@ -107,6 +108,14 @@
   char temp_name[size];
   snprintf(temp_name, size, format, name);

+  /* make sure we get a proper filename */
+  {
+char   *chr;
+for(chr=temp_name; *chr; ++chr)
+   if(!isalnum(*chr))/* not safe filename char -> replace */
+  *chr='_';
+  }
+
   /* write temporary file */
   {
 intfildes;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]