Ticket #2913 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

CVE-2012-4463 mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly

Reported by: iankko Owned by: slavazanko
Priority: minor Milestone: 4.8.7
Component: mc-core Version: 4.8.5
Keywords: Security, CVE-2012-4463 Cc: onlyjob@…, jnovy@…, milan.cermak@…
Blocked By: Blocking:
Branch state: merged Votes for changeset: committed-master

Description

Paul Hartman reported the following (minor) security flaw
into Gentoo's bugzilla:

https://bugs.gentoo.org/show_bug.cgi?id=436518

When multiple files are selected and F3 / Enter key is pressed on some of the files, MC_EXT_SELECTED variable does not sanitize the whitespace characters properly (leading into situation when first file is used as the actual value of MC_EXT_SELECTED variable and the remaining files from the list are used as arguments passed to the temporary script, created to handle F3 / Enter action on the first file).

A remote attacker could provide a specially-crafted archive and trick the local Midnight Commander user into expanding and viewing it, which under certain circumstances could lead to arbitrary code execution with the privileges of the user running the mc executable.

Attachments

ext.c_quote_mc_ext_env_vars.diff (1.1 KB) - added by slackmail 4 years ago.

Change History

comment:2 Changed 4 years ago by iankko

  • Keywords Security, CVE-2012-4463 added; Security removed
  • Summary changed from mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly to CVE-2012-4463 mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly

The CVE identifier of CVE-2012-4463 has been assigned to this issue:
[3] http://www.openwall.com/lists/oss-security/2012/10/03/5

comment:3 Changed 4 years ago by onlyjob

  • Cc onlyjob@… added

comment:4 Changed 4 years ago by jnovy

  • Cc jnovy@… added

comment:5 Changed 4 years ago by mcermak

  • Cc milan.cermak@… added

comment:6 Changed 4 years ago by slackmail

Hi all, no offence indended, but...

The provided fix in "https://bugs.gentoo.org/show_bug.cgi?id=436518" for this security related bug is NOT correct.

So in order to limit the damage resulting from "blindly" copying the above patch I attach a extended and really *working* fix for this issue.

A short explanation for all interested:
The original modification of "g_string_append_printf" builds a temporary shell script where every assignement made to environment variables except MC_EXT_FILENAME is quoted (MC_EXT_BASENAME, MC_EXT_CURRENTDIR, MC_EXT_SELECTED, MC_EXT_ONLYTAGGED).

This completely breaks every script using the variables MC_EXT_BASENAME and MC_EXT_CURRENTDIR because they are now double quoted.

My modification adds the logic needed to only quote the filename lists MC_EXT_SELECTED and MC_EXT_ONLYTAGGED.

Hope this helps anyone looking for a preliminary solution...

Changed 4 years ago by slackmail

comment:7 Changed 4 years ago by slavazanko

  • Owner set to slavazanko
  • Status changed from new to accepted
  • Branch state changed from no branch to on review
  • Milestone changed from Future Releases to 4.8.7

Created branch 2913_sanitize

Review, please.

comment:8 Changed 4 years ago by andrew_b

  • Votes for changeset set to andrew_b

comment:9 Changed 4 years ago by angel_il

  • Votes for changeset changed from andrew_b to andrew_b angel_il
  • Branch state changed from on review to approved

comment:10 Changed 4 years ago by slavazanko

  • Status changed from accepted to testing
  • Votes for changeset changed from andrew_b angel_il to committed-master
  • Resolution set to fixed
  • Branch state changed from approved to merged

Merged to master:

git log --pretty=oneline bf475ce..a51df49

comment:11 Changed 4 years ago by slavazanko

  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.