oss-sec mailing list archives
Re: Re: CVE request: lsyncd command injection
From: Sven Schwedas <sven.schwedas () tao at>
Date: Wed, 26 Nov 2014 13:22:43 +0100
On 2014-11-26 00:18, Ángel González wrote:
On 20-11-2014 Mitre wrote:There is a command injection flaw in lsyncd, a file change monitoring and synchronization daemon: https://github.com/axkibe/lsyncd/issues/220 https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227Use CVE-2014-8990. The scope of this CVE ID includes both: 1. code execution with ` characters or other characters that are special to a shell 2. denial of service scenarios in which a user with write access to a local directory uses special characters to make synchronization fail (might have security relevance in some scenarios) The MITRE CVE team does not have a Lua expert. The code change adds: local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') This does not seem to be the typical fix approach for unsafe input to a shell. Has anyone concluded that this is an incomplete fix that ought to be modified before the 2.1.6 release?It is indeed an incomplete fix: * The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second % character makes lsyncd fail with the error "stdin:1: invalid use of '%' in replacement string". Thus allowing a complete denial of service * Not all metacharacters are filtered, so command execution is still present. In particular, the escaped characters can be prefixed with a backslash to bypass the filter. The attached patch should hopefully solve these issues.
Thank you. I've tested the patch locally and it appears to be working correctly (mine was more a quick hack to get our own lsyncd instances running again). It also has been merged upstream:
https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b
Attached is the patch adapted for Wheezy's lsyncd 2.0.7-3. -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas () tao at | +43 (0)680 301 7167 http://software.tao.at
Attachment:
0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: lsyncd command injection Murray McAllister (Nov 18)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)
- Re: Re: CVE request: lsyncd command injection Michael Samuel (Nov 21)
- Re: Re: CVE request: lsyncd command injection Ángel González (Nov 25)
- Re: Re: CVE request: lsyncd command injection Sven Schwedas (Nov 26)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)