Description of problem: https://github.com/linuxmint/mintstick/issues/42 https://bugs.launchpad.net/linuxmint/+bug/1460775 File : /usr/lib/minstick/raw_format.py Example Demo Exploid : ===================== If you run mintstick and you type in this text as a VOLUME LABEL : $(ls>x.txt) ... a file x.txt will be created in the roots home folder as a proof of concept. Reason is this the python script "raw_format.py" , line 53-59 : # Format partition according to the fstype specified if fstype == "fat32": os.system("mkdosfs -F 32 -n \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path)) if fstype == "ntfs": os.system("mkntfs -f -L \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path)) elif fstype == "ext4": os.system("mkfs.ext4 -E root_owner=%s:%s -L \"%s\" %s >/dev/null 2>&1" % (uid, gid, volume_label, partition.path)) Here the volume label text "$(ls>x.txt)" gets into %s and will be injected and executed as a shell command. Version-Release number of selected component (if applicable): 0.42 Reproducible: Steps to Reproduce:
Assignee: bugsquad => geiger.david68210
A correction is pushed on git. Papoteur
commit 55d4b990b22a46273430910fe40bb2f7f381ef8f Author: SARL ENR 68 <david@...> Date: Tue Oct 6 09:39:04 2015 +0200 New release 0.43 - fix for bug mga#16910 --- Commit Link: http://gitweb.mageia.org/software/isodumper/commit/?id=55d4b990b22a46273430910fe40bb2f7f381ef8f
Version: 5 => CauldronWhiteboard: (none) => MGA5TOO
(In reply to Mageia Robot from comment #2) > commit 55d4b990b22a46273430910fe40bb2f7f381ef8f > Author: SARL ENR 68 <david@...> > Date: Tue Oct 6 09:39:04 2015 +0200 > > New release 0.43 > > - fix for bug mga#16910 > --- > Commit Link: > > http://gitweb.mageia.org/software/isodumper/commit/ > ?id=55d4b990b22a46273430910fe40bb2f7f381ef8f Just for the reference, it would have been better to mention mga#16910 in the actual commit that fixes the issue (http://gitweb.mageia.org/software/isodumper/commit/?id=12e34b26a99ada6c22fcee5abaac5a90fb2b8cf3) instead of the commit that creates the 0.43 version.
Fixed package was pushed to Cauldron already.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
(In reply to Rémi Verschelde from comment #3) > (In reply to Mageia Robot from comment #2) > > commit 55d4b990b22a46273430910fe40bb2f7f381ef8f > > Author: SARL ENR 68 <david@...> > > Date: Tue Oct 6 09:39:04 2015 +0200 > > > > New release 0.43 > > > > - fix for bug mga#16910 > > --- > > Commit Link: > > > > http://gitweb.mageia.org/software/isodumper/commit/ > > ?id=55d4b990b22a46273430910fe40bb2f7f381ef8f > > Just for the reference, it would have been better to mention mga#16910 in > the actual commit that fixes the issue > (http://gitweb.mageia.org/software/isodumper/commit/ > ?id=12e34b26a99ada6c22fcee5abaac5a90fb2b8cf3) instead of the commit that > creates the 0.43 version. It's because I created the bug report after commiting the corrections. Why would have been better? Is there an effect to mention mga#16910 in commit message?
(In reply to papoteur from comment #5) > > It's because I created the bug report after commiting the corrections. > Why would have been better? Is there an effect to mention mga#16910 in > commit message? Ah ok, then I guess it's fine. The effect of mentioning the bug report in the commit message creates the automatic comment above, so generally speaking it's best to do it in the actual fix commit (so that someone reading the bug report gets a direct link to the patch). But if the bug report has been created afterwards, you couldn't mention it indeed :)
Advisory: ======================== The volume label text could be injected and executed as a shell command in raw_format.py from isodumper. Mintstick has been corrected in the same way. https://github.com/linuxmint/mintstick/issues/42 https://bugs.launchpad.net/linuxmint/+bug/1460775 This update fixes this security issue. ======================== Packages in 5/core/updates_testing: ======================== isodumper-0.43-1.mga5.noarch.rpm Source RPM: ======================== isodumper-0.43-1.mga5.src.rpm How to test this update request: ======================== - See initial comment for test procedure.
Assignee: geiger.david68210 => qa-bugs
MGA5 x64 About to try this, but puzzled by something: after installing ISOdumper 0.42: $ /usr/lib/mintstick/raw_format.py bash: /usr/lib/mintstick/raw_format.py: No such file or directory [Note mintstick, not minstick]. The only way to write a device (= volume?) label with ISOdumper is Format the device/Label for the device. I tried formatting Fat32 a USB stick with the given bad label "$(ls>x.txt)"; the device [USB stick, *not* partition] label remain unchanged; also that of the ISO image [partition/device eqivalent] it previously contained. However, an empty file as indicated *was* created in /root : # ls -l /root -rw-r--r-- 1 root root 0 Hyd 6 21:07 X.TXT Deleted this. Updated to: isodumper-0.43-1.mga5 Re-ran it with the same USB stick, Format Fat32 with device label "$(ls>x.txt)". This time the duff [partition/device] label *was* written and recognised/displayed as such by the file manager. Again the USB stick label remained unchanged. And there was *no* /root/X.TXT file created. Update OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0393.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/660421/