Pdmenu allows to run executable which is not defined in menu. User can gain access to regular shell this way. Reproducible: Always Steps to Reproduce: 1. use following /etc/pdmenurc: #!/usr/bin/pdmenu menu:main:Main Menu exec:_ping an IP address...:edit,pause:echo "Press Ctrl-c to stop pinging"; ping ~Ping what server?:~ nop exit:_Exit 2. select 1st menu item 3. type '; bash' (without apostrophes) and press enter Actual Results: #ping ; bash bash is executed Expected Results: #ping '; bash' ping: unknown host ; bash
Thanks for your report Daniel. Did you discovered this? If so, did you contacted upstream about it? If not, do you have references on this vulnerability?
(In reply to comment #1) > Thanks for your report Daniel. Did you discovered this? If so, did you > contacted upstream about it? If not, do you have references on this > vulnerability? > Yes, I discovered this myself. I haven't contacted upstream yet but I can do it if you want. There is newer version of pdmenu than in Gentoo, but this bug can be reproduced even in svn version (I tried it a while ago).
> Yes, I discovered this myself. > I haven't contacted upstream yet but I can do it if you want. Yes, please. keep us informed whether they're willing to correct this (I don't know pdmenu, but this looks pretty serious while being rather simple to exploit, so I guess they will fix it). > There is newer version of pdmenu than in Gentoo, but this bug can be reproduced > even in svn version (I tried it a while ago). okay, thanks for the info.
(In reply to comment #3) > > Yes, I discovered this myself. > > I haven't contacted upstream yet but I can do it if you want. > > Yes, please. keep us informed whether they're willing to correct this (I don't > know pdmenu, but this looks pretty serious while being rather simple to > exploit, so I guess they will fix it). > > > There is newer version of pdmenu than in Gentoo, but this bug can be reproduced > > even in svn version (I tried it a while ago). > > okay, thanks for the info. > I have contacted upstream and he claims that this behaviour is all right. It is even documented in pdmenurc(5): "Security warning! Any exec command that uses the 'edit' flag will be a security hole. The user need only to enter text with a ';' in it, and they can run an arbitrary command after the semicolon!" From my point of view, there are several possible solutions: - replace system by one of exec* functions - escape 'edit' output somehow - mask or hard mask pdmenu in portage I have been working on patch, but since I'm not C programmer, it may take a while to fix it properly.
(In reply to comment #4) > (In reply to comment #3) > > > Yes, I discovered this myself. > > > I haven't contacted upstream yet but I can do it if you want. > > > > Yes, please. keep us informed whether they're willing to correct this (I don't > > know pdmenu, but this looks pretty serious while being rather simple to > > exploit, so I guess they will fix it). > > > > > There is newer version of pdmenu than in Gentoo, but this bug can be reproduced > > > even in svn version (I tried it a while ago). > > > > okay, thanks for the info. > > > > I have contacted upstream and he claims that this behaviour is all right. > It is even documented in pdmenurc(5): > "Security warning! Any exec command that uses the 'edit' flag will be a > security hole. The user need only to enter text with a ';' in it, and they can > run an arbitrary command after the semicolon!" > > From my point of view, there are several possible solutions: > - replace system by one of exec* functions > - escape 'edit' output somehow > - mask or hard mask pdmenu in portage - add some ewarn to the ebuild? Jokey, what do you think of this? > I have been working on patch, but since I'm not C programmer, it may take a > while to fix it properly. > Thank you very much for your help, but if you really don't know C at all, don't bother with that, we'll handle it.
We have a big fat warning at the end of the merge now, that should suffice as it is (albeit broken by design imho) expected behavior
I suggest closing this one as INVALID since upstream considers this as a feature and using pdmenu as login shell seems to be almost identical to using bash from a security viewpoint.
(In reply to comment #7) > I suggest closing this one as INVALID since upstream considers this as a > feature and using pdmenu as login shell seems to be almost identical to using > bash from a security viewpoint. > Agreed. (In reply to comment #5) > (In reply to comment #4) > > > I have been working on patch, but since I'm not C programmer, it may take a > > while to fix it properly. > > > > Thank you very much for your help, but if you really don't know C at all, don't > bother with that, we'll handle it. > Daniel: I wish I didn't gave you false hope, at first I thought I could find some time to fix this, but we've got lots of more serious bugs to deal with, so if you really want to get this fixed, I guess you'll have to see with upstream and/or it by yourself, sorry :/
