Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203106 - app-arch/unp < 1.0.13 Insufficient escaping of shell meta characters (CVE-2007-6610)
Summary: app-arch/unp < 1.0.13 Insufficient escaping of shell meta characters (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2007-12-22 23:10 UTC by Jakub Moc (RETIRED)
Modified: 2008-01-09 00:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2007-12-22 23:10:29 UTC
From the Debian bug:

unp doesn't escape filenames properly. Try this:

touch empty
zip \`ls\`.zip empty
unp \`ls\`.zip

and it will give you a directory listing.

This means that any application using 'unp' for a generic decompression
utility might be vulnerable to a filename-based injection attack.

Fixed in 1.0.13.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-23 11:35:27 UTC
Looks valid, thanks for reporting. 

Hanno, please bump.
Comment 2 Hanno Böck gentoo-dev 2007-12-23 17:25:07 UTC
Bump done, amd64 and x86 please stabilize.
Comment 3 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-12-24 21:58:05 UTC

Amd64 seems to be ok. The vulnerability is not reproducable and the rest of the program works as expected.

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
System uname: 2.6.23-gentoo-r3 x86_64 AMD Athlon(tm) 64 Processor 3400+
Timestamp of tree: Mon, 24 Dec 2007 01:47:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r2
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict nostrip parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl acpi aim alsa amd64 arts bash-completion berkdb bitmap-fonts branding cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv imap ipv6 isdnlog jpeg kde kerberos mad midi mikmod mmx mp3 mpeg mudflap mysql mysqli ncurses nls nptl nptlonly nvidia ogg opengl openmp oss pam pcre pdf perl png pppd python qt qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sqlite3 sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vim vim-syntax vorbis xine xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Comment 4 Peter Weller (RETIRED) gentoo-dev 2007-12-26 08:46:47 UTC
amd64 stable, thanks gentoofan
Comment 5 Markus Meier gentoo-dev 2007-12-26 10:07:16 UTC
x86 stable, last arch!
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-26 12:02:05 UTC
Seems the patch introduced regressions -- "now it seems unp can't handle filenames with whitespace anymore"

 unp (1.0.14) unstable; urgency=low
   * Stop using libstring-shellquote-perl, it breaks things (closes: #457134)
   * Code review and rewrite of potentially dangerous methods, using
     environment variables and shell arguments to pass the variables
     to called commands (now really closes: #448437)

Hanno, can you confirm that?
Comment 7 Hanno Böck gentoo-dev 2007-12-27 08:05:44 UTC
archs, regressions found, please stabilize 1.0.14.
Comment 8 Dawid Węgliński (RETIRED) gentoo-dev 2007-12-27 09:43:35 UTC
x86 stable
Comment 9 Peter Weller (RETIRED) gentoo-dev 2007-12-27 22:47:40 UTC
amd64 done again..
Comment 10 Hanno Böck gentoo-dev 2007-12-27 23:08:45 UTC
security, I think this is ready for glsa
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-28 00:23:55 UTC
yes, filed. Thanks.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-01-09 00:47:27 UTC
GLSA200801-01 -- happy new year!

Thanks to everyone.