650894 – (CVE-2017-17530) sci-mathematics/geomview: Argument-injection through BROWSER env var

Bug 650894 (CVE-2017-17530) - sci-mathematics/geomview: Argument-injection through BROWSER env var

Summary: sci-mathematics/geomview: Argument-injection through BROWSER env var

Status:	RESOLVED INVALID

Alias:	CVE-2017-17530

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://security-tracker.debian.org/t...
Whiteboard:	~2 [upstream cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-03-19 14:55 UTC by GLSAMaker/CVETool Bot
Modified:	2022-08-11 01:52 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-03-19 14:55:02 UTC

CVE-2017-17530 (https://nvd.nist.gov/vuln/detail/CVE-2017-17530):
  common/help.c in Geomview 1.9.5 does not validate strings before launching
  the program specified by the BROWSER environment variable, which might allow
  remote attackers to conduct argument-injection attacks via a crafted URL.


@Maintainers please confirm if we are affected.

Thank you

Comment 1 John Helmert III archtester

2022-08-11 00:09:30 UTC

Hm, the functionality linked in Debian's tracker bug seems to be for viewing the local documentation installed with the package. I'm not sure how an attacker could manipulate the URLs it's fed.

Comment 2 John Helmert III archtester

2022-08-11 01:52:05 UTC

Specifically, the vulnerable code is this (https://sources.debian.org/src/geomview/1.9.5-1/src/bin/geomview/common/help.c/?hl=51#L83):

    snprintf(helper, PATH_MAX, "%s %s &", browser, file);
    dummy = system(helper);

So if `browser` or `file` can be controlled by an attacker, the attacker controls the command line passed to system(). In particular, the CVE says the BROWSER environment variable could be problematic. I think it means WEBBROWSER. At line 50, if WEBBROWSER is set in the environment, `browser` gets the value of WEBBROWSER, else it gets the value of the macro DFLTHTMLBROWSER, which is `firefox` by default.

  if (*htmlbrowser == '\0') {
    if ((browser = getenv("WEBBROWSER")) == NULL) {
      browser = DFLTHTMLBROWSER;
    }
  } else {
    browser = htmlbrowser;
  }

Since environment variables are implicitly trusted here, WEBBROWSER seems uninteresting, so let's look at `file`, at line 71:

  if ((docdir = getenv("GEOMVIEW_DOC_DIR")) == NULL) {
    docdir = DOCDIR; /* compile-time default */
  }

  if (strncasecmp(type, "html", strlen("html")) == 0) {
    [snip]
    dfltfile = "%s/html/index.html";
    langfile = "%s/html/%s/index.html";
  }

  [snip]

  if ((lang = getenv("LANG")) != NULL) {
    snprintf(helper, PATH_MAX, langfile, docdir, lang);
    file = findfile(NULL, helper);
  }
  if (file == NULL) {
    snprintf(helper, PATH_MAX, dfltfile, docdir);
    file = findfile(NULL, helper);
  }

Since the environment is trusted, we can ignore the conditional based on getenv(). If LANG is not set in the environment, `helper` will get the value of dfltfile, which is "%s/html/index.html", where the "%s" is replaced with `docdir`. The only way to control `docdir` at runtime is via the GEOMVIEW_DOC_DIR environment variable, which we can again treat as trusted as coming from the environment.

I don't think there's any impact here.