[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gropdf can execute arbitrary commands

From: Vincent Lefevre
Subject: gropdf can execute arbitrary commands
Date: Wed, 23 Jan 2019 14:01:37 +0100
User-agent: Mutt/1.11.2+89 (4e6744dc) vl-114617 (2019-01-18)


I've reported the following bug in the Debian BTS:


According to the gropdf(1) man page:

       gropdf [-dels] [-F dir] [-I dir] [-p paper-size] [-u [cmapfile]]
              [-y foundry] [file ...]

but providing a "filename" with a pipe character can yield an
arbitrary command execution:

$ touch foo
$ ls foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory

The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". The perlop(1) man page says:

  Since the null filehandle uses the two argument form of "open" in
  perlfunc it interprets special characters, so if you have a script like

      while (<>) {

  and call it with "perl dangerous.pl 'rm -rfv *|'", it actually opens a
  pipe, executes the "rm" command and reads "rm"'s output from that pipe.

Vincent Lefèvre <address@hidden> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]