[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gropdf can execute arbitrary commands
From: |
Vincent Lefevre |
Subject: |
gropdf can execute arbitrary commands |
Date: |
Wed, 23 Jan 2019 14:01:37 +0100 |
User-agent: |
Mutt/1.11.2+89 (4e6744dc) vl-114617 (2019-01-18) |
Hi,
I've reported the following bug in the Debian BTS:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
According to the gropdf(1) man page:
gropdf [-dels] [-F dir] [-I dir] [-p paper-size] [-u [cmapfile]]
[-y foundry] [file ...]
but providing a "filename" with a pipe character can yield an
arbitrary command execution:
$ touch foo
$ ls foo
foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory
$
The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". The perlop(1) man page says:
Since the null filehandle uses the two argument form of "open" in
perlfunc it interprets special characters, so if you have a script like
this:
while (<>) {
print;
}
and call it with "perl dangerous.pl 'rm -rfv *|'", it actually opens a
pipe, executes the "rm" command and reads "rm"'s output from that pipe.
--
Vincent Lefèvre <address@hidden> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- gropdf can execute arbitrary commands,
Vincent Lefevre <=