bug#60924: gunzip susceptible to PATH highjacking

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#60924: gunzip susceptible to PATH highjacking

From:	Peter Hutterer
Subject:	bug#60924: gunzip susceptible to PATH highjacking
Date:	Wed, 18 Jan 2023 14:39:14 +1000

Hi all,

Simple summary: gunzip executes any "gzip" executable if the caller
adjusts PATH.

$ echo "boom" > gzip
$ chmod +x gzip
$ PATH="$PWD:$PATH" /usr/bin/gunzip 
boom

We discovered this as part of a fix to libXpm, an library to parse X
pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and
any libXpm application can thus be made to exec a random binary by
highjacking PATH.

Our initial fix was to change this to call /usr/bin/gunzip explicitly
(i.e. with the built-in prefix). [1] But since gunzip execs gzip from
$PATH, nothing really changes - we now fixed this in libXpm by calling
/usr/bin/gzip -d instead [2]

Not sure if this is a bug, intentional, or just a "meh, too niche to
worry about". Or possibly a combination of all three, I'm happy with
either.

Cheers,
  Peter

[1] 
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376
[2] 
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68

[Prev in Thread]

Current Thread

[Next in Thread]

bug#60924: gunzip susceptible to PATH highjacking, Peter Hutterer <=
- bug#60924: gunzip susceptible to PATH highjacking, Paul Eggert, 2023/01/18
  - bug#60924: gunzip susceptible to PATH highjacking, Jim Meyering, 2023/01/18

Prev by Date: bug#60384: [platform-testers] new snapshot available: gzip-1.12.31-7553
Next by Date: bug#60924: gunzip susceptible to PATH highjacking
Previous by thread: bug#60384: [platform-testers] new snapshot available: gzip-1.12.31-7553
Next by thread: bug#60924: gunzip susceptible to PATH highjacking
Index(es):
- Date
- Thread