Arbitrary shell command injection in lilypond-invoke-editor

bug-lilypond

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Arbitrary shell command injection in lilypond-invoke-editor

From:	Gabriel Corona
Subject:	Arbitrary shell command injection in lilypond-invoke-editor
Date:	Wed, 15 Nov 2017 00:12:48 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

Hi,

I reported this bug on sensible-browser:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767

The summary is that some specially crafted URIs might lead to the
injection of arbitrary arguments when calling the browser.

As mentioned in the bug report, I found other softwares having this same
vulnerability and lilypond-invoke-editor is one of them.

In fact, in lilypond-invoke-editor's case it's even worse than that as
lilypond-invoke-editor can be used to execute arbitrary commands:

BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/ & xterm"

BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/&xterm";

(While the first argument is an invalid URI, the second example is an
absolutely valid one).

As a proof of concept, you'll find as an attachment an example PDF file.
Clicking on the link using mupdf, spawns a xterm process:

BROWSER="lilypond-invoke-editor" mupdf test.pdf

Cheers,

-- 
Gabriel

test.pdf
Description: Adobe PDF document

[Prev in Thread]

Current Thread

[Next in Thread]

Arbitrary shell command injection in lilypond-invoke-editor, Gabriel Corona <=
- Re: Arbitrary shell command injection in lilypond-invoke-editor, Knut Petersen, 2017/11/22
  - Re: Arbitrary shell command injection in lilypond-invoke-editor, Gabriel Corona, 2017/11/22

Prev by Date: Re: Automatic beaming fails with tuplets
Next by Date: Fwd: a contribution
Previous by thread: Automatic beaming fails with tuplets
Next by thread: Re: Arbitrary shell command injection in lilypond-invoke-editor
Index(es):
- Date
- Thread