Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436518 (CVE-2012-4463) - <app-misc/mc-4.8.7: arbitrary execution of programs due to unquoted environment variables (CVE-2012-4463)
Summary: <app-misc/mc-4.8.7: arbitrary execution of programs due to unquoted environme...
Status: RESOLVED FIXED
Alias: CVE-2012-4463
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-28 16:39 UTC by Paul Hartman
Modified: 2014-02-20 11:13 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mc-quoted-ext-variables.patch (mc-quoted-ext-variables.patch,869 bytes, patch)
2012-09-28 16:40 UTC, Paul Hartman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Hartman 2012-09-28 16:39:12 UTC
A feature of Midnight Commander is the mc.ext system which defines rules to execute commands based on file type or file name. Typically this is done by pressing enter on a highlighted file in the panel. 

When you do that, MC creates a temporary shell script which defines some environment variables containing all currently selected/highlighted files in the panel. These variables are described in detail in the comments of /etc/mc/mc.ext.

This is a space-separated list and is not quoted, causing bash to execute the second file as if it were a command. Resulting, in best case, in errors such as:

/tmp/mc-paul/mcextB1iX4l: line 9: foo.bar: command not found
/tmp/mc-paul/mcextB1iX4l: line 11: foo.bar: command not found

And in worst case I think this could be dangerous for example if your selected files happen to be named "rm" or "cp" or other executable names. :)

I have fixed it by adding quotes in exec_get_export_variables from
filemanager/ext.c like this:

g_string_append_printf (export_vars_string, "%s=\"%s\"\nexport %s\n", export_variables[i].name, text, export_variables[i].name);

I don't know if that is the best solution for all use cases and
compatibility with shells other than bash, but at least it prevents my bash shell from trying to execute the elements of the variable as commands. I will defer to devs on whether this is the appropriate way to fix it.

Reproducible: Always

Steps to Reproduce:
1. Select multiple files in a panel
2. Press ENTER key when a file is highlighted that will trigger an mc.ext rule (such as a movie or a jpg)
3. Watch as it tries to execute the second selected file as a command twice.
Actual Results:  
Script sets, for example:
MC_EXT_SELECTED=foo bar blah
resulting in bash trying to execute the command "bar blah" while setting MC_EXT_SELECTED to "foo"

Expected Results:  
Should instead set:
MC_EXT_SELECTED="foo bar blah"

Portage 2.2.0_alpha133 (default/linux/amd64/10.0/desktop/kde, gcc-4.6.3, glibc-2.15-r3, 3.5.4 x86_64)
=================================================================
System uname: Linux-3.5.4-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.2
Timestamp of tree: Thu, 27 Sep 2012 14:15:01 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 3.1.8 [disabled]
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/ccache:          3.1.8
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.10.5
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.6, 1.12.4
sys-devel/binutils:       2.22.90
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.5 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo nx vmware overlay
Installed sets: @kernels, @system
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=native -O3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/lib/hsqldb"
CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=native -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner --quiet-build=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.mcs.anl.gov/pub/gentoo/ http://lug.mtu.edu/gentoo/ http://www.gtlib.gatech.edu/pub/gentoo http://mirrors.linuxant.fr/distfiles.gentoo.org/ http://gentoo.llarian.net/ http://mirror.netcologne.de/gentoo/ http://ftp.fi.muni.cz/pub/linux/gentoo/ http://mirror.bytemark.co.uk/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,--as-needed"
LINGUAS="en en_US"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/dev/shm"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/nx /var/lib/layman/vmware /usr/local/portage"
SYNC="rsync://mirror.steadfast.net/gentoo-portage"
USE="X a52 aac acl acpi aim alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo cdda cdparanoia cdr cli colord consolekit cracklib crypt css cups cxx dbus declarative dri dts dvd dvdr emacs emboss encode exif fam ffmpeg firefox flac fortran freetds ftp gdbm gif gimp gphoto2 gpm gtk gzip handbook iconv id3tag idn ieee1394 imagemagick imap ipv6 jabber jack javascript jbig joystick jpeg jpeg2k kde kipi lame lcms ldap libnotify lm_sensors lzma lzo mad matroska mime mmx mng modules mp3 mp4 mpeg mplayer msn mssql mudflap multilib musicbrainz mysql mysqli ncurses nls nptl nsplugin offensive ogg opengl openmp oscar pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 quicktime raw rdesktop readline samba scanner sdl semantic-desktop session slang smp sndfile sound sox spell sse sse2 sse3 ssl startup-notification subversion svg syslog taglib tcpd theora tiff tmidity truetype udev udisks unicode upower usb v4l vcd videos vnc vorbis webkit wifi wmf wxwidgets x264 xattr xcb xcomposite xemacs xine xinerama xml xmp xpm xscreensaver xv xvid yahoo zeroconf zlib" ALSA_CARDS="hda-intel alsa_cards_usb-audio alsa_cards_usb-us122l alsa_cards_usb-usx2y" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" FOO2ZJS_DEVICES="hp1020" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="scripting-beanshell scripting-javascript wiki-publisher presenter-console presenter-minimizer" LINGUAS="en en_US" NETBEANS_MODULES="apisupport harness ide java nb cnd groovy gsf identity j2ee mobility php profiler soa visualweb webcommon websvccommon xml" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="epson epson2 epkowa" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Paul Hartman 2012-09-28 16:40:42 UTC
Created attachment 325228 [details, diff]
mc-quoted-ext-variables.patch
Comment 2 Sergei Trofimovich gentoo-dev 2012-09-29 20:19:12 UTC
I guess you will need proper shell quoting instead of this thing.
Have you reported it upstream at http://www.midnight-commander.org/ ?

Thanks for the report :]
Comment 3 Jan Lieskovsky 2012-10-03 15:13:45 UTC
(In reply to comment #2)
> I guess you will need proper shell quoting instead of this thing.
> Have you reported it upstream at http://www.midnight-commander.org/ ?
> 
> Thanks for the report :]

This has been reported upstream as:
[1] https://www.midnight-commander.org/ticket/2913
Comment 4 Jan Lieskovsky 2012-10-03 15:46:13 UTC
CVE request:
[2] http://www.openwall.com/lists/oss-security/2012/10/03/4
Comment 5 Jan Lieskovsky 2012-10-03 16:53:07 UTC
The CVE identifier of CVE-2012-4463 has been assigned to this issue:
[3] http://www.openwall.com/lists/oss-security/2012/10/03/5
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-03 23:27:39 UTC
Thank you for the report, Paul. 

Thanks for the CVE request, Jan.
Comment 7 Paul Hartman 2012-10-04 14:59:35 UTC
Thanks to all. Just to clarify, it affects not only MC_EXT_SELECTED (this was only one example) but it also affects MC_EXT_ONLYTAGGED. Basically any of the MC_EXT_* environment variables as created by the exec_get_export_variables function are not quoted, but in reality those are the only two which contain multiple filenames. This is why the error is printed twice when the condition is triggered.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-10-13 20:37:48 UTC
CVE-2012-4463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4463):
  Midnight Commander (mc) 4.8.5 does not properly handle the (1)
  MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple
  files are selected, which allows user-assisted remote attackers to execute
  arbitrary commands via a crafted file name.
Comment 9 Michael Palimaka (kensington) gentoo-dev 2012-12-31 11:47:22 UTC
*mc-4.8.7 (28 Dec 2012)

  28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild:
  Version bump.

This bump contains the fix for this bug.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-01 21:38:10 UTC
(In reply to comment #9)
> *mc-4.8.7 (28 Dec 2012)
> 
>   28 Dec 2012; Sergei Trofimovich <slyfox@gentoo.org> +mc-4.8.7.ebuild:
>   Version bump.
> 
> This bump contains the fix for this bug.

Thanks, Michael and Sergei.

Arches, please test it and mark stable.
Comment 11 Jeff (JD) Horelick (RETIRED) gentoo-dev 2013-01-01 23:45:38 UTC
x86 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2013-01-02 11:23:36 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2013-01-02 11:42:27 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-01-04 12:55:00 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-01-04 13:12:34 UTC
ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-01-04 21:18:21 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-01-05 17:31:25 UTC
sparc stable
Comment 18 Markus Meier gentoo-dev 2013-01-06 10:22:25 UTC
arm stable
Comment 19 Agostino Sarubbo gentoo-dev 2013-01-07 22:22:09 UTC
alpha stable
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2013-01-13 19:34:09 UTC
s390/sh stable
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 21:11:19 UTC
Thanks, everyone. 

New GLSA request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-02-20 11:13:06 UTC
This issue was resolved and addressed in
 GLSA 201402-18 at http://security.gentoo.org/glsa/glsa-201402-18.xml
by GLSA coordinator Mikle Kolyada (Zlogene).