A feature of Midnight Commander is the mc.ext system which defines rules to execute commands based on file type or file name. Typically this is done by pressing enter on a highlighted file in the panel. When you do that, MC creates a temporary shell script which defines some environment variables containing all currently selected/highlighted files in the panel. These variables are described in detail in the comments of /etc/mc/mc.ext. This is a space-separated list and is not quoted, causing bash to execute the second file as if it were a command. Resulting, in best case, in errors such as: /tmp/mc-paul/mcextB1iX4l: line 9: foo.bar: command not found /tmp/mc-paul/mcextB1iX4l: line 11: foo.bar: command not found And in worst case I think this could be dangerous for example if your selected files happen to be named "rm" or "cp" or other executable names. :) I have fixed it by adding quotes in exec_get_export_variables from filemanager/ext.c like this: g_string_append_printf (export_vars_string, "%s=\"%s\"\nexport %s\n", export_variables[i].name, text, export_variables[i].name); I don't know if that is the best solution for all use cases and compatibility with shells other than bash, but at least it prevents my bash shell from trying to execute the elements of the variable as commands. I will defer to devs on whether this is the appropriate way to fix it. Reproducible: Always Steps to Reproduce: 1. Select multiple files in a panel 2. Press ENTER key when a file is highlighted that will trigger an mc.ext rule (such as a movie or a jpg) 3. Watch as it tries to execute the second selected file as a command twice. Actual Results: Script sets, for example: MC_EXT_SELECTED=foo bar blah resulting in bash trying to execute the command "bar blah" while setting MC_EXT_SELECTED to "foo" Expected Results: Should instead set: MC_EXT_SELECTED="foo bar blah" Portage 2.2.0_alpha133 (default/linux/amd64/10.0/desktop/kde, gcc-4.6.3, glibc-2.15-r3, 3.5.4 x86_64) ================================================================= System uname: Linux-3.5.4-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.2 Timestamp of tree: Thu, 27 Sep 2012 14:15:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 3.1.8 [disabled] app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/ccache: 3.1.8 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.10.5 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.6, 1.12.4 sys-devel/binutils: 2.22.90 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.5 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo nx vmware overlay Installed sets: @kernels, @system ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-mtune=native -O3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/lib/hsqldb" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-mtune=native -O3 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner --quiet-build=n" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildsyspkg config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.mcs.anl.gov/pub/gentoo/ http://lug.mtu.edu/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo http://mirrors.linuxant.fr/distfiles.gentoo.org/ http://gentoo.llarian.net/ http://mirror.netcologne.de/gentoo/ http://ftp.fi.muni.cz/pub/linux/gentoo/ http://mirror.bytemark.co.uk/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,--as-needed" LINGUAS="en en_US" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/dev/shm" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/nx /var/lib/layman/vmware /usr/local/portage" SYNC="rsync://mirror.steadfast.net/gentoo-portage" USE="X a52 aac acl acpi aim alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo cdda cdparanoia cdr cli colord consolekit cracklib crypt css cups cxx dbus declarative dri dts dvd dvdr emacs emboss encode exif fam ffmpeg firefox flac fortran freetds ftp gdbm gif gimp gphoto2 gpm gtk gzip handbook iconv id3tag idn ieee1394 imagemagick imap ipv6 jabber jack javascript jbig joystick jpeg jpeg2k kde kipi lame lcms ldap libnotify lm_sensors lzma lzo mad matroska mime mmx mng modules mp3 mp4 mpeg mplayer msn mssql mudflap multilib musicbrainz mysql mysqli ncurses nls nptl nsplugin offensive ogg opengl openmp oscar pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 quicktime raw rdesktop readline samba scanner sdl semantic-desktop session slang smp sndfile sound sox spell sse sse2 sse3 ssl startup-notification subversion svg syslog taglib tcpd theora tiff tmidity truetype udev udisks unicode upower usb v4l vcd videos vnc vorbis webkit wifi wmf wxwidgets x264 xattr xcb xcomposite xemacs xine xinerama xml xmp xpm xscreensaver xv xvid yahoo zeroconf zlib" ALSA_CARDS="hda-intel alsa_cards_usb-audio alsa_cards_usb-us122l alsa_cards_usb-usx2y" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" FOO2ZJS_DEVICES="hp1020" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="scripting-beanshell scripting-javascript wiki-publisher presenter-console presenter-minimizer" LINGUAS="en en_US" NETBEANS_MODULES="apisupport harness ide java nb cnd groovy gsf identity j2ee mobility php profiler soa visualweb webcommon websvccommon xml" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="epson epson2 epkowa" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 325228 [details, diff] mc-quoted-ext-variables.patch
I guess you will need proper shell quoting instead of this thing. Have you reported it upstream at http://www.midnight-commander.org/ ? Thanks for the report :]
(In reply to comment #2) > I guess you will need proper shell quoting instead of this thing. > Have you reported it upstream at http://www.midnight-commander.org/ ? > > Thanks for the report :] This has been reported upstream as: [1] https://www.midnight-commander.org/ticket/2913
CVE request: [2] http://www.openwall.com/lists/oss-security/2012/10/03/4
The CVE identifier of CVE-2012-4463 has been assigned to this issue: [3] http://www.openwall.com/lists/oss-security/2012/10/03/5
Thank you for the report, Paul. Thanks for the CVE request, Jan.
Thanks to all. Just to clarify, it affects not only MC_EXT_SELECTED (this was only one example) but it also affects MC_EXT_ONLYTAGGED. Basically any of the MC_EXT_* environment variables as created by the exec_get_export_variables function are not quoted, but in reality those are the only two which contain multiple filenames. This is why the error is printed twice when the condition is triggered.
CVE-2012-4463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4463): Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name.
*mc-4.8.7 (28 Dec 2012) 28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild: Version bump. This bump contains the fix for this bug.
(In reply to comment #9) > *mc-4.8.7 (28 Dec 2012) > > 28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild: > Version bump. > > This bump contains the fix for this bug. Thanks, Michael and Sergei. Arches, please test it and mark stable.
x86 stable
Stable for HPPA.
amd64 stable
ppc stable
ppc64 stable
ia64 stable
sparc stable
arm stable
alpha stable
s390/sh stable
Thanks, everyone. New GLSA request filed.
This issue was resolved and addressed in GLSA 201402-18 at http://security.gentoo.org/glsa/glsa-201402-18.xml by GLSA coordinator Mikle Kolyada (Zlogene).