Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78941

Summary: app-text/sword: diatheke.pl Shell Command Injection Vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: squinky86, taviso, vapier
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.debian.org/security/2005/dsa-650
Whiteboard: C1 [] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
sword-1.5.8-diatheke.patch none

Description Luke Macken (RETIRED) gentoo-dev 2005-01-21 05:35:22 UTC 
TITLE:
SWORD diatheke.pl Shell Command Injection Vulnerability

SECUNIA ADVISORY ID:
SA13897

VERIFY ADVISORY:
http://secunia.com/advisories/13897/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
SWORD 1.x
http://secunia.com/product/4548/

DESCRIPTION:
Ulf H?rnhammar has reported a vulnerability in SWORD, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to an input validation error in
diatheke.pl. This can be exploited to inject arbitrary shell commands
via a specially crafted URL.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Ulf H?rnhammar

ORIGINAL ADVISORY:
http://www.debian.org/security/2005/dsa-650
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-01-21 06:01:13 UTC 
Created attachment 49105 [details, diff]
sword-1.5.8-diatheke.patch

patch ported from debians 1.5.3 patch.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-01-21 06:02:58 UTC 
We are quite a few versions ahead of debians on this one.. but it looks like our code is still vulnerable.

squinky86, please verify/apply.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 08:34:11 UTC 
solar/vapier: we could try applying this patch ourselves, as squinky isn't answering.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-10 14:27:37 UTC 
Gentoo doesnt include the diatheke.pl script in the package, so I dont think we are vulnerable to this bug.

Incidentally, in debian's patch it looks like $range is never escaped, so this could still be exploited by searching for the range ";command;" or similar :)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 01:47:38 UTC 
taviso: good catch. I verified that the patch applied and not that we didn't ship the diatheke.pl CGI. Note that Debian doesn't ship a version that includes the "range" operator so they are in fact unaffected by that remaining vulnerability.