Bug 89129 - another command injection vulnerability
Summary: another command injection vulnerability
Status: RESOLVED INVALID
Alias: None
Product: Portland
Classification: Unclassified
Component: xdg-utils (show other bugs)
Version: 1.1.0 rc1
Hardware: All Linux (All)
: high critical
Assignee: Portland Bugs
QA Contact:
URL: https://bugs.debian.org/777722
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-13 06:24 UTC by Michael Gilbert
Modified: 2015-02-21 00:47 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Description Michael Gilbert 2015-02-13 06:24:03 UTC
A Debian user reported a different command injection issue recently, and proposed a patch too:
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xdg-open.diff;att=1;bug=777722

Seems to do with local variable usage that isn't really local.  For more detail, see:
https://bugs.debian.org/777722
Comment 1 Rex Dieter 2015-02-20 16:55:24 UTC
The code has diverged a bit in git so that patch no longer applies.  

But good news:  the current code should be safe(r), since all uses of 
local $var
are initialized to avoid the problem, in particular, the code closest to what this patch touches now contains:


search_desktop_file()
{
    local default="$1"
    local dir="$2"
    local arg="$3"

    local file=""
    # look for both vendor-app.desktop, vendor/app.desktop
...


Lastly, with test case given in debian report, I cannot reproduce in fedora 20 at least.

$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}

$ bash testme

$ dash testme

$ rpm -q bash dash
bash-4.2.53-2.fc20.i686
dash-0.5.8-1.fc20.i686
Comment 2 Michael Gilbert 2015-02-21 00:47:47 UTC
The script you ran lacks the actual function call, the call to "testme" at the end.  It should be:

$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}
testme


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.