Home page logo

oss-sec logo oss-sec mailing list archives

Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Dec 2012 11:51:33 -0500 (EST)

Hello Kurt, Steve, vendors,

  Background: Geany is a small and fast integrated development enviroment with basic
features and few dependencies to other packages or Desktop Environments.

Based on (you might need to click 'Yes, I agree' OK to
get the exploit code in [2]):
[1] https://bugs.gentoo.org/show_bug.cgi?id=446986
[2] http://www.1337day.com/exploit/19924

it was found that Geany is not escaping filenames (when compiling /
building source) prior passing the final command line to shell.

The questions:
1) should Geany escape the filenames?,
2) is this a security issue or not?

Two views:
* view #1 - it shouldn't escape the filenames. It's just IDE,
so what it obtains as input is passed to shell for execution.

* view #2 - it should escape the filenames (because this is what
shell / bash is doing) prior making the build.

Obviously, even for gcc you can pass specially-crafted filename,
when attempt to build it would lead to "ls -la" command (for example)
to be executed.

I by myself am not sure / not able to decide here.

Steve, could you hint? Does Mitre have some guidance / document,
how to deal with cases like this one?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Cc-ed Geany maintainers for their opinion too.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]