bug-groff
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #55557] gropdf can execute arbitrary commands

From: Deri James
Subject: [bug #55557] gropdf can execute arbitrary commands
Date: Wed, 23 Jan 2019 10:59:33 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 
URL:
  <https://savannah.gnu.org/bugs/?55557>

                 Summary: gropdf can execute arbitrary commands
                 Project: GNU troff
            Submitted by: deri
            Submitted on: Wed 23 Jan 2019 03:59:31 PM UTC
                Category: Device gropdf
                Severity: 4 - Important
              Item Group: Warning/Suspicious behaviour
                  Status: Confirmed
                 Privacy: Public
             Assigned to: deri
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

Vincent Lefevre has reported this security problem on the debian bug
tracker:-


  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269

So I am opening this bug here. It has been discussed on the groff mailing
list, here:-

http://lists.gnu.org/archive/html/groff/2019-01/msg00024.html

The problem is explained as:-

"... but providing a "filename" with a pipe character can yield an
arbitrary command execution:

$ touch foo
$ ls foo
foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory
$ 

The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". "

Colin Watson has suggested including code to "clean" the the arguments passed
on the gropdf command line. He has also identified other perl scripts which
may have a similar problem:-

  $ find -name \*.pl | xargs grep -- '<>'
  ./src/devices/gropdf/gropdf.pl:while (<>)
  ./src/devices/gropdf/gropdf.pl: my $lin=<>;
  ./tmac/hyphenex.pl:while (<>) {
  ./contrib/gpinyin/gpinyin.pl:foreach (<>) {     # get line from input
  ./contrib/gperl/gperl.pl:foreach (<>) {
  ./contrib/glilypond/glilypond.pl: LILYPOND: foreach (<>) {
  ./contrib/glilypond/glilypond.pl:  } # end foreach <>

I shall look at ways of blocking this behaviour.





    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?55557>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]