[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#60924: gunzip susceptible to PATH highjacking

From: Peter Hutterer
Subject: bug#60924: gunzip susceptible to PATH highjacking
Date: Wed, 18 Jan 2023 14:39:14 +1000

Hi all,

Simple summary: gunzip executes any "gzip" executable if the caller
adjusts PATH.

$ echo "boom" > gzip
$ chmod +x gzip
$ PATH="$PWD:$PATH" /usr/bin/gunzip 

We discovered this as part of a fix to libXpm, an library to parse X
pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and
any libXpm application can thus be made to exec a random binary by
highjacking PATH.

Our initial fix was to change this to call /usr/bin/gunzip explicitly
(i.e. with the built-in prefix). [1] But since gunzip execs gzip from
$PATH, nothing really changes - we now fixed this in libXpm by calling
/usr/bin/gzip -d instead [2]

Not sure if this is a bug, intentional, or just a "meh, too niche to
worry about". Or possibly a combination of all three, I'm happy with



reply via email to

[Prev in Thread] Current Thread [Next in Thread]