[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #55557] gropdf can execute arbitrary commands

From: Deri James
Subject: [bug #55557] gropdf can execute arbitrary commands
Date: Wed, 23 Jan 2019 10:59:33 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0


                 Summary: gropdf can execute arbitrary commands
                 Project: GNU troff
            Submitted by: deri
            Submitted on: Wed 23 Jan 2019 03:59:31 PM UTC
                Category: Device gropdf
                Severity: 4 - Important
              Item Group: Warning/Suspicious behaviour
                  Status: Confirmed
                 Privacy: Public
             Assigned to: deri
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None



Vincent Lefevre has reported this security problem on the debian bug


So I am opening this bug here. It has been discussed on the groff mailing
list, here:-


The problem is explained as:-

"... but providing a "filename" with a pipe character can yield an
arbitrary command execution:

$ touch foo
$ ls foo
$ gropdf "rm foo|"
$ ls foo
ls: cannot access 'foo': No such file or directory

The reason is that gropdf is a Perl script that uses the insecure
null filehandle "<>". "

Colin Watson has suggested including code to "clean" the the arguments passed
on the gropdf command line. He has also identified other perl scripts which
may have a similar problem:-

  $ find -name \*.pl | xargs grep -- '<>'
  ./src/devices/gropdf/gropdf.pl:while (<>)
  ./src/devices/gropdf/gropdf.pl: my $lin=<>;
  ./tmac/hyphenex.pl:while (<>) {
  ./contrib/gpinyin/gpinyin.pl:foreach (<>) {     # get line from input
  ./contrib/gperl/gperl.pl:foreach (<>) {
  ./contrib/glilypond/glilypond.pl: LILYPOND: foreach (<>) {
  ./contrib/glilypond/glilypond.pl:  } # end foreach <>

I shall look at ways of blocking this behaviour.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]