Summary: | <app-misc/mc-4.8.7: arbitrary execution of programs due to unquoted environment variables (CVE-2012-4463) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Paul Hartman <paul.hartman> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | desktop-misc, kensington, slyfox, wired | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Paul Hartman
2012-09-28 16:39:12 UTC
Created attachment 325228 [details, diff]
mc-quoted-ext-variables.patch
I guess you will need proper shell quoting instead of this thing. Have you reported it upstream at http://www.midnight-commander.org/ ? Thanks for the report :] (In reply to comment #2) > I guess you will need proper shell quoting instead of this thing. > Have you reported it upstream at http://www.midnight-commander.org/ ? > > Thanks for the report :] This has been reported upstream as: [1] https://www.midnight-commander.org/ticket/2913 CVE request: [2] http://www.openwall.com/lists/oss-security/2012/10/03/4 The CVE identifier of CVE-2012-4463 has been assigned to this issue: [3] http://www.openwall.com/lists/oss-security/2012/10/03/5 Thank you for the report, Paul. Thanks for the CVE request, Jan. Thanks to all. Just to clarify, it affects not only MC_EXT_SELECTED (this was only one example) but it also affects MC_EXT_ONLYTAGGED. Basically any of the MC_EXT_* environment variables as created by the exec_get_export_variables function are not quoted, but in reality those are the only two which contain multiple filenames. This is why the error is printed twice when the condition is triggered. CVE-2012-4463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4463): Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name. *mc-4.8.7 (28 Dec 2012) 28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild: Version bump. This bump contains the fix for this bug. (In reply to comment #9) > *mc-4.8.7 (28 Dec 2012) > > 28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild: > Version bump. > > This bump contains the fix for this bug. Thanks, Michael and Sergei. Arches, please test it and mark stable. x86 stable Stable for HPPA. amd64 stable ppc stable ppc64 stable ia64 stable sparc stable arm stable alpha stable s390/sh stable Thanks, everyone. New GLSA request filed. This issue was resolved and addressed in GLSA 201402-18 at http://security.gentoo.org/glsa/glsa-201402-18.xml by GLSA coordinator Mikle Kolyada (Zlogene). |