oss-sec mailing list archives
Re: Re: CVE request: lsyncd command injection
From: Ángel González <angel () 16bits net>
Date: Wed, 26 Nov 2014 00:18:13 +0100
On 20-11-2014 Mitre wrote:
There is a command injection flaw in lsyncd, a file change monitoring and synchronization daemon: https://github.com/axkibe/lsyncd/issues/220 https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227Use CVE-2014-8990. The scope of this CVE ID includes both: 1. code execution with ` characters or other characters that are special to a shell 2. denial of service scenarios in which a user with write access to a local directory uses special characters to make synchronization fail (might have security relevance in some scenarios) The MITRE CVE team does not have a Lua expert. The code change adds: local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') This does not seem to be the typical fix approach for unsafe input to a shell. Has anyone concluded that this is an incomplete fix that ought to be modified before the 2.1.6 release?
It is indeed an incomplete fix: * The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second % character makes lsyncd fail with the error "stdin:1: invalid use of '%' in replacement string". Thus allowing a complete denial of service * Not all metacharacters are filtered, so command execution is still present. In particular, the escaped characters can be prefixed with a backslash to bypass the filter. The attached patch should hopefully solve these issues.
Attachment:
0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch
Description:
Current thread:
- CVE request: lsyncd command injection Murray McAllister (Nov 18)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)
- Re: Re: CVE request: lsyncd command injection Michael Samuel (Nov 21)
- Re: Re: CVE request: lsyncd command injection Ángel González (Nov 25)
- Re: Re: CVE request: lsyncd command injection Sven Schwedas (Nov 26)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)