[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#60924: gunzip susceptible to PATH highjacking
From: |
Peter Hutterer |
Subject: |
bug#60924: gunzip susceptible to PATH highjacking |
Date: |
Wed, 18 Jan 2023 14:39:14 +1000 |
Hi all,
Simple summary: gunzip executes any "gzip" executable if the caller
adjusts PATH.
$ echo "boom" > gzip
$ chmod +x gzip
$ PATH="$PWD:$PATH" /usr/bin/gunzip
boom
We discovered this as part of a fix to libXpm, an library to parse X
pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and
any libXpm application can thus be made to exec a random binary by
highjacking PATH.
Our initial fix was to change this to call /usr/bin/gunzip explicitly
(i.e. with the built-in prefix). [1] But since gunzip execs gzip from
$PATH, nothing really changes - we now fixed this in libXpm by calling
/usr/bin/gzip -d instead [2]
Not sure if this is a bug, intentional, or just a "meh, too niche to
worry about". Or possibly a combination of all three, I'm happy with
either.
Cheers,
Peter
[1]
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376
[2]
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68
- bug#60924: gunzip susceptible to PATH highjacking,
Peter Hutterer <=