Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Frank Lanitz <frank () frank uvena de>
Date: Wed, 12 Dec 2012 18:05:40 +0100

Hi folks, 

On Wed, 12 Dec 2012 11:51:33 -0500 (EST)
Jan Lieskovsky <jlieskov () redhat com> wrote:

  Background: Geany is a small and fast integrated development
enviroment with basic features and few dependencies to other packages
or Desktop Environments.

Based on (you might need to click 'Yes, I agree' OK to
get the exploit code in [2]):
[1] https://bugs.gentoo.org/show_bug.cgi?id=446986
[2] http://www.1337day.com/exploit/19924

it was found that Geany is not escaping filenames (when compiling /
building source) prior passing the final command line to shell.

The questions:
1) should Geany escape the filenames?,
2) is this a security issue or not?

Two views:
* view #1 - it shouldn't escape the filenames. It's just IDE,
so what it obtains as input is passed to shell for execution.

* view #2 - it should escape the filenames (because this is what
shell / bash is doing) prior making the build.

Obviously, even for gcc you can pass specially-crafted filename,
when attempt to build it would lead to "ls -la" command (for example)
to be executed.

I by myself am not sure / not able to decide here.

Steve, could you hint? Does Mitre have some guidance / document,
how to deal with cases like this one?

I didn't try it out by now. 

Even though this is really not the best behavior at least I don't see
a real security issue here. Of course you could download a file called
foo.c"rm -rf /", open it and try to run it, but this would only be
executed with user's context which in the end doesn't make any
differences whether you having a shell script like

#!/bin/sh
rm -rf /;

or funny_shell_script.sh"rm -rf /" downloading. /dev/user is needed
here. 

However, should be fixed of course as its dangerous behavior
nevertheless. ;)

Just my 2ct. 

Cheers, 
Frank 
-- 
Frank Lanitz <frank () frank uvena de>

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]