|
oss-sec
mailing list archives
Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Dec 2012 11:51:33 -0500 (EST)
Hello Kurt, Steve, vendors,
Background: Geany is a small and fast integrated development enviroment with basic
features and few dependencies to other packages or Desktop Environments.
Based on (you might need to click 'Yes, I agree' OK to
get the exploit code in [2]):
[1] https://bugs.gentoo.org/show_bug.cgi?id=446986
[2] http://www.1337day.com/exploit/19924
it was found that Geany is not escaping filenames (when compiling /
building source) prior passing the final command line to shell.
The questions:
1) should Geany escape the filenames?,
2) is this a security issue or not?
Two views:
* view #1 - it shouldn't escape the filenames. It's just IDE,
so what it obtains as input is passed to shell for execution.
* view #2 - it should escape the filenames (because this is what
shell / bash is doing) prior making the build.
Obviously, even for gcc you can pass specially-crafted filename,
when attempt to build it would lead to "ls -la" command (for example)
to be executed.
I by myself am not sure / not able to decide here.
Steve, could you hint? Does Mitre have some guidance / document,
how to deal with cases like this one?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: Cc-ed Geany maintainers for their opinion too.
 By Date 
By Thread
Current thread:
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
(Thread continues...)
|
