Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 325531 (CVE-2010-2246)

Summary: <media-gfx/feh-1.8: Remote passive compromise (CVE-2010-2246)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, lilwyrm
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://derf.homelinux.org/interblag/entry/code-execution-hole-in-feh-wget-timestamp.xhtml
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 16:54:40 UTC 
"For feh versions <= 1.7 down to at least 1.3.4, feh -G/--wget-timestamp contains a remote code execution hole when called with malicious URLs containing shell characters.

The problem is that --wget-timestamp does a system() call to /bin/cp, handing it the unescaped URL. If the URL were to contain a sequence like ';something', "something" would be interpreted and executed as new shell command.

Constraints: The user must use --wget-timestamp, the URL's command part may (apparently) not contain "obfuscation" like %20 for space etc., and the remote file must exist on the server.

Example: Try "feh --wget-timestamp 'https://derf.homelinux.org/stuff/foo;touch lol_hax'". Result.

All in all this is rather improbable, but I'd advise you anyways to update to feh 1.8 ;-)"

https://derf.homelinux.org/git/feh/patch/?id=ae56ce24b10767800b1715e7e68b41c7d3571b4c
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 17:05:46 UTC 
Graphics, please update to 1.8 or create an updated ebuild that backports the patch (which just removes the vulnerable function).
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-06-25 17:19:39 UTC 
Test & stabilize:

=media-gfx/feh-1.8
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2010-06-25 20:44:50 UTC 
amd64 stable
Comment 4 Myckel Habets 2010-06-26 08:27:27 UTC 
Build program and rdep without any problem on x86. Loaded some images, no problems encountered.

Please mark stable for x86.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-06-27 09:59:22 UTC 
BEGIN failed--compilation aborted at test/feh.t line 4.
test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00)
No subtests run 
test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at test/mandoc.t line 4.
BEGIN failed--compilation aborted at test/mandoc.t line 4.
test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00)
No subtests run 

Please restrict tests.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-06-27 10:03:47 UTC 
(In reply to comment #5)
> BEGIN failed--compilation aborted at test/feh.t line 4.
> test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00)
> No subtests run 
> test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at
> test/mandoc.t line 4.
> BEGIN failed--compilation aborted at test/mandoc.t line 4.
> test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00)
> No subtests run 
> 
> Please restrict tests.
> 

27 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> feh-1.8.ebuild:
Run testsuite only if perl is at least 5.10 wrt #325531 (Comment #5) by
Christian Faulhammer.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2010-06-27 11:01:50 UTC 
stable x86, thanks Myckel
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2010-06-27 18:04:02 UTC 
*** Bug 325855 has been marked as a duplicate of this bug. ***
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 13:07:16 UTC 
alpha/sparc stable
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2010-07-04 10:06:54 UTC 
ppc64 stable
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:10:34 UTC 
Marked ppc stable.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:59:49 UTC 
glsa request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:42:05 UTC 
CVE-2010-2246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2246):
  feh before 1.8, when the --wget-timestamp option is enabled, might allow
  remote attackers to execute arbitrary commands via shell metacharacters in a
  URL.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-13 21:30:47 UTC 
This issue was resolved and addressed in
 GLSA 201110-08 at http://security.gentoo.org/glsa/glsa-201110-08.xml
by GLSA coordinator Stefan Behte (craig).