Bug#898373: lilypond: CVE-2017-17523 (again)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#898373: lilypond: CVE-2017-17523 (again)

Gabriel Corona-2
Package: lilypond
Version: 2.18.2-12
Severity: grave
Tags: security
Justification: user security hole

Hi,

lilypond-invoke-editor as shipped in Debian is still vulnerable to
shell command injection in URIs (CVE-2017-17523).

This is easily demonstrated by running this shell command using an
updated lilypond package which still spawns an xterm process:

BROWSER="firefox" lilypond-invoke-editor "http://www.example.com/&xterm"

The vulnerable code snippet is still present:

(define (run-browser uri)
  (system
   (if (getenv "BROWSER")
       (format #f "~a ~a" (getenv "BROWSER") uri)
       (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))

Upstream bug [1] is marked as fixed but it's actually not. It has ben
reported as Debian Bug 884136 which is marked as closed and archived.

[1] https://sourceforge.net/p/testlilyissues/issues/5243/

--
Gabriel


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lilypond depends on:
ii  ghostscript        9.22~dfsg-2.1
ii  libc6              2.27-3
ii  libfontconfig1     2.13.0-4
ii  libfreetype6       2.8.1-2
ii  libgcc1            1:8-20180425-1
ii  libglib2.0-0       2.56.1-2
ii  libgmp10           2:6.1.2+dfsg-3
ii  libltdl7           2.4.6-2.1
ii  libpango-1.0-0     1.42.0-1
ii  libpangoft2-1.0-0  1.42.0-1
ii  libstdc++6         8-20180425-1
ii  lilypond-data      2.18.2-12
ii  python             2.7.15~rc1-1

Versions of packages lilypond recommends:
ii  texlive-latex-base  2018.20180416-1

Versions of packages lilypond suggests:
pn  lilypond-doc  <none>

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#898373: lilypond: CVE-2017-17523 (again)

Don Armstrong-2
Control: unarchive 884136
Control: found 884136 2.18.2-12
Control: found 884136 2.19.81-1~exp1
Control: forcemerge 884136 898373
Control: tag 884136 confirmed

On Thu, 10 May 2018, Gabriel Corona wrote:
> lilypond-invoke-editor as shipped in Debian is still vulnerable to
> shell command injection in URIs (CVE-2017-17523).

Thanks for the report; we're actually shipping the upstream code with
their fix to 2017-17523, but clearly that fix doesn't fix the whole
thing, because they're using system instead of system*.

I'm testing a quick patch which should fix this issue, and I'll send it
upstream once I know it's working.

--
Don Armstrong                      https://www.donarmstrong.com

6: If we are one, then we can defeat 2.
  -- "The Prisoner (2009 Miniseries)" _Schizoid_

Reply | Threaded
Open this post in threaded view
|

Bug#898373: lilypond: CVE-2017-17523 (again)

Salvatore Bonaccorso-4
Hi Don,

On Thu, May 10, 2018 at 04:15:23PM -0700, Don Armstrong wrote:

> Control: unarchive 884136
> Control: found 884136 2.18.2-12
> Control: found 884136 2.19.81-1~exp1
> Control: forcemerge 884136 898373
> Control: tag 884136 confirmed
>
> On Thu, 10 May 2018, Gabriel Corona wrote:
> > lilypond-invoke-editor as shipped in Debian is still vulnerable to
> > shell command injection in URIs (CVE-2017-17523).
>
> Thanks for the report; we're actually shipping the upstream code with
> their fix to 2017-17523, but clearly that fix doesn't fix the whole
> thing, because they're using system instead of system*.
>
> I'm testing a quick patch which should fix this issue, and I'll send it
> upstream once I know it's working.

I will request a new CVE id for the "incomplete fix for
CVE-2017-17523" (but no need to wait for that assignment for fixing
the issue).

Regards,
Salvatore