oss-sec mailing list archives
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Frank Lanitz <frank () frank uvena de>
Date: Wed, 12 Dec 2012 18:05:40 +0100
Hi folks, On Wed, 12 Dec 2012 11:51:33 -0500 (EST) Jan Lieskovsky <jlieskov () redhat com> wrote:
Background: Geany is a small and fast integrated development enviroment with basic features and few dependencies to other packages or Desktop Environments. Based on (you might need to click 'Yes, I agree' OK to get the exploit code in [2]): [1] https://bugs.gentoo.org/show_bug.cgi?id=446986 [2] http://www.1337day.com/exploit/19924 it was found that Geany is not escaping filenames (when compiling / building source) prior passing the final command line to shell. The questions: 1) should Geany escape the filenames?, 2) is this a security issue or not? Two views: * view #1 - it shouldn't escape the filenames. It's just IDE, so what it obtains as input is passed to shell for execution. * view #2 - it should escape the filenames (because this is what shell / bash is doing) prior making the build. Obviously, even for gcc you can pass specially-crafted filename, when attempt to build it would lead to "ls -la" command (for example) to be executed. I by myself am not sure / not able to decide here. Steve, could you hint? Does Mitre have some guidance / document, how to deal with cases like this one?
I didn't try it out by now. Even though this is really not the best behavior at least I don't see a real security issue here. Of course you could download a file called foo.c"rm -rf /", open it and try to run it, but this would only be executed with user's context which in the end doesn't make any differences whether you having a shell script like #!/bin/sh rm -rf /; or funny_shell_script.sh"rm -rf /" downloading. /dev/user is needed here. However, should be fixed of course as its dangerous behavior nevertheless. ;) Just my 2ct. Cheers, Frank -- Frank Lanitz <frank () frank uvena de>
Attachment:
_bin
Description:
Current thread:
- Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Frank Lanitz (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Colomban Wendling (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Matthew Brush (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Kurt Seifried (Dec 13)