Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 19916 - gkrellm-newsticker
Summary: gkrellm-newsticker
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-04-25 03:01 UTC by Daniel Ahlberg (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-04-25 03:01:48 UTC
Security problems in gkrellm-newsticker 
 
From:  
Martin Schulze <joey@infodrom.org> 
 
 
To:  
bugtraq@securityfocus.com 
 
 
Date:  
Wednesday 15.52.51 
 
 
Brian Campbell discovered two security-related problems in 
gkrellm-newsticker, a plugin for the gkrellm system monitor program, 
which provides a news ticker from RDF feeds.  The following IDs were 
assigned: 
 
CAN-2003-0205 
 
  gkrellm-newsticker can launch a web browser of the user's choice 
  when the ticker title is clicked by using the URI given by the feed. 
  However, special shell characters are not properly escaped enabling 
  a malicious feed to execute arbitrary shell commands on the clients 
  machine. 
 
CAN-2003-0206 
 
  gkrellm-newsticker crashes the entire gkrellm system on RDF files 
  where link or title elements are not entirely on a single line.  A 
  malicious server could therefore craft a denial of service.  The 
  nature of the crash means that it cannot be exploited to perform any 
  other actions (it simply attempts to allocate a silly amount of 
  memory). 
 
Below is a patch from Brian Campbell to fix both problems. 
 
As the parser does not make any real attempt to parse XML, the patch 
just takes the remainder of the first line. 
 
 
diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c 
--- gkrellm-newsticker-0.3.orig/newsticker.c    Sun Jan 20 21:02:40 2002 
+++ gkrellm-newsticker-0.3/newsticker.c Sat Apr  5 09:37:18 2003 
@@ -292,7 +292,12 @@ 
            pt = strchr(pt, '>'); 
            pt++; 
            pt2 = strstr(buf, "</link>"); 
-           nt->link = g_strndup(pt, (pt2 - pt)); 
+           /* Can't handle multiple lines properly, but at least make some 
+            * effort. */ 
+           if (pt2) 
+               nt->link = g_strndup(pt, (pt2 - pt)); 
+           else 
+               nt->link = g_strdup(pt); 
            flag++; 
            continue; 
        } 
@@ -306,10 +311,20 @@ 
            pt = strchr(pt, '>'); 
            pt++; 
            pt2 = strstr(buf, "</title>"); 
-           if (flag == 2) 
-               nt->headline = g_strndup(pt, (pt2 - pt)); 
-           else 
-               nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL); 
+           /* Again, let's not fail completely when the element spans more 
+            * than one line. */ 
+           if (pt2) 
+           { 
+               if (flag == 2) 
+                   nt->headline = g_strndup(pt, (pt2 - pt)); 
+               else 
+                   nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL); 
+           } else { 
+               if (flag == 2) 
+                   nt->headline = g_strdup(pt); 
+               else 
+                   nt->headline = g_strconcat(nt->headline, " --- ", g_strdup(pt), NULL); 
+           } 
            flag++; 
            if (flag > (num_headlines+1)) 
                break; 
@@ -474,10 +489,36 @@ 
     return FALSE; 
 } 
  
+/* Make a URI suitable for use in a shell command. */ 
+static gchar *escape_uri(gchar *uri) 
+{ 
+    gchar *cur, *result, *resultcur; 
+    int count = 1; 
+ 
+    for (cur = uri; *cur; cur++) 
+       count += (*cur == '\'') ? 3 : 1; 
+ 
+    result = g_malloc(count); 
+    for (cur = uri, resultcur = result; *cur; cur++) 
+    { 
+       if (*cur == '\'') 
+       { 
+           *resultcur++ = '%'; 
+           *resultcur++ = '2'; 
+           *resultcur++ = '7'; 
+       } 
+       else 
+           *resultcur++ = *cur; 
+    } 
+    *resultcur = '\0'; 
+ 
+    return result; 
+} 
  
 static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev) 
 { 
     gchar              *command; 
+    gchar              *link; 
     GList              *list; 
     Newsticker         *nt; 
         
@@ -490,7 +531,9 @@ 
        { 
            if ((ev->button == 1) && (strcmp(nt->link, "NULL"))) 
            { 
-               command = g_strdup_printf(browser, nt->link); 
+               link = escape_uri(nt->link); 
+               command = g_strdup_printf(browser, link); 
+               g_free(link); 
                command = g_strconcat(command, " &", NULL); 
                system(command); 
                g_free(command); 
 
 
Regards, 
 
        Joey 
        Debian Security Team 
 
--  
The good thing about standards is that there are so many to choose from. 
                -- Andrew S. Tanenbaum
Comment 1 solar (RETIRED) gentoo-dev 2003-10-11 12:52:39 UTC
seemant, 

On IRC you mentioned that this bug was invalid. Please confirm by noting
why on this bug.

I looked over the src code to patch but it seemed like completely incorrect
versions.
Comment 2 solar (RETIRED) gentoo-dev 2003-12-10 14:40:39 UTC
seemant.. ping..
Comment 3 solar (RETIRED) gentoo-dev 2003-12-10 21:25:47 UTC
aliz,
we cant find this code in portage, can you please point us at the effected code
Comment 4 SpanKY gentoo-dev 2004-02-11 20:02:20 UTC
talk to seemant and verified we can nuke this