Inspecting source code after I got a segmentation fault, I found a source file with the telling name obeyator.cpp. An instance of the class it provides is created on every startup of clipgrab. The code downloads a textfile from clipgrab.de. Depending on the returned content, it could start arbitrary programs. Reproducible: Always Steps to Reproduce: 1. ebuild net-misc/clipgrab-2.0_beta_1-r1.ebuild prepare 2. inspect main.cpp and obeyator.cpp This is the content of obeyator.cpp: /* // // This file is part of ClipGrab and released under the terms of the GNU GPL v3. // You have received a copy of this licence. See gpl-3.0 or http://www.gnu.org/licenses/gpl-3.0.txt. // © 2008 Philipp Schmieder // http://clipgrab.de // */ #include "obeyator.h" void obeyator::obey() { http = new QHttp; http -> setHost(QString("clipgrab.de")); tmpFile = new QTemporaryFile; QObject::connect ( http, SIGNAL(done(bool)), this, SLOT(execute(bool)) ); http -> get("http://clipgrab.de/or.php?version=2.0-beta2&lang="+QLocale::system().name().split("_")[0], tmpFile); } void obeyator::execute(bool error) { QSettings settings; if (error == false) { tmpFile -> close(); tmpFile -> open(); QString string; string = tmpFile -> readLine(); while (string != "") { if (string.split(" ")[0].trimmed() == "msg") { QMessageBox::information(0, tr("ClipGrab"), string.split("\"")[1], QMessageBox::Ok); } else if (string.split(" ")[0].trimmed() == "url") { if (string.split("\\\\")[1].trimmed() != "") { if (settings.value(string.split("\\\\")[1].split(" ")[0]) != string.split("\\\\")[1].split("\"")[1]) { QProcess *app = new QProcess(this); #ifdef Q_WS_X11 app -> start("xdg-open " + string.split("\"")[1]); #endif #ifdef Q_WS_WIN app -> start("cmd.exe /C start " + string.split("\"")[1]); #endif } } } else if (string.split(" ")[0].trimmed() == "set") { settings.setValue(string.split(" ")[1], string.split("\"")[1]); } else if (string.split(" ")[0].trimmed() == "quit") { QCoreApplication::exit(0); } string = tmpFile -> readLine(); } } delete tmpFile; }
Currently, the downloaded textfile looks harmless: GET http://clipgrab.de/or.php?version=2.0-beta2&lang=de HTTP/1.1 Connection: Keep-Alive Host: clipgrab.de HTTP/1.1 200 OK Date: Mon, 19 Oct 2009 11:03:28 GMT Server: Apache/1.3 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8f AuthPG/1.3 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html 58 url "http://clipgrab.de/thanks_de.html" \\started "2.0-beta2"\\ set started "2.0-beta2" 0
ping ...
I quickly looked into this, but I am not too sure this is actually exploitable: 46 QProcess *app = new QProcess(this); 48 app -> start("xdg-open " + string.split("\"")[1]); It seems QProcess->start starts exactly one command, but not in a shell, so no metacharacters. xdg-open then processes again only one argument, a file/URL to open. So you might execute something, but without any parameters. At any rate, if you have a working exploit or further comments, please feel free contact us privately by email (see the address in the "Assigned To" field). So, unless we get hard evidence this is exploitable, I would not handle this as a security issue, however bluebird might choose to remove the code for privacy's sake.
We didn't recieve any PoC, or other conclusive arguments, reassigning to maintainer for a "regular" removal of the code.
Fixed in main tree during virtual/ffmpeg move.
