[23749] in bugtraq
Re: Pine 4.33 (at least) URL handler allows embedded commands.
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Tue Jan 8 11:02:36 2002
Date: Mon, 7 Jan 2002 14:01:05 +0100 (MET)
From: Roman Drahtmueller <draht@suse.de>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.42.0201061733250.3881-100000@nimue.bos.bindview.com>
Message-ID: <Pine.LNX.4.43.0201071358190.22932-200000@dent.suse.de>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="168455424-1305060506-1010408465=:22932"
--168455424-1305060506-1010408465=:22932
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
> > Problem:=09=09URL handler allows embedded commands.
> > =09=09=09May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...
SuSE pine packages contain a patch that makes pine use environment
variables to pass on the URL to the viewer. The patch is attached - I'm
not sure who made it, but it looks like from Olaf Kirch.
Roman.
--=20
- -
| Roman Drahtm=FCller <draht@suse.de> // "You don't need eyes to see, =
|
SuSE GmbH - Security Phone: // you need vision!"
| N=FCrnberg, Germany +49-911-740530 // Maxi Jazz, Faithless =
|
- -
--168455424-1305060506-1010408465=:22932
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="pine-4.33-security.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.43.0201071401050.22932@dent.suse.de>
Content-Description:
Content-Disposition: attachment; filename="pine-4.33-security.patch"
LS0tIHBpbmUvbWFpbHZpZXcuYy5vcmlnCVRodSBPY3QgMTIgMjE6MzM6MzIg
MjAwMA0KKysrIHBpbmUvbWFpbHZpZXcuYwlGcmkgT2N0IDI3IDEwOjA0OjU4
IDIwMDANCkBAIC0zNzM4LDEyNCArMzczOCw0NiBAQA0KICNkZWZpbmUJVVJM
X01BWF9MQVVOQ0gJKDIgKiBNQUlMVE1QTEVOKQ0KIA0KICAgICBpZihoYW5k
bGUtPmgudXJsLnRvb2wpew0KLQljaGFyCSp0b29scCwgKmNtZHAsICpwLCAq
cSwgY21kW1VSTF9NQVhfTEFVTkNIICsgMV07DQotCWNoYXIgICAgKmxlZnRf
ZG91YmxlX3F1b3RlLCAqcmlnaHRfZG91YmxlX3F1b3RlOw0KLQlpbnQJIG1v
ZGUsIGxlbiwgaGxlbiwgcXVvdGFibGUgPSAwLCBjb3BpZWQgPSAwLCBkb3Vi
bGVfcXVvdGVkID0gMDsNCisJY2hhcgkqdG9vbHAsICpjbWRwLCAqZW5kcCwg
Y21kW1VSTF9NQVhfTEFVTkNIICsgMV07DQorCWludAkgbW9kZSwgbGVuLCBj
b3BpZWQgPSAwOw0KIAlQSVBFX1MgKnN5c3BpcGU7DQogDQogCWlmKChsZW4g
PSBzdHJsZW4odG9vbHAgPSBoYW5kbGUtPmgudXJsLnRvb2wpKSA+IFVSTF9N
QVhfTEFVTkNIKQ0KIAkgIHJldHVybih1cmxfbGF1bmNoX3Rvb19sb25nKHJ2
KSk7DQogCSAgDQotCWhsZW4JID0gc3RybGVuKGhhbmRsZS0+aC51cmwucGF0
aCk7DQotDQogCS8qDQotCSAqIEZpZ3VyZSBvdXQgaWYgd2UgbmVlZCB0byBx
dW90ZSB0aGUgVVJMLiBJZiB0aGVyZSBhcmUgc2hlbGwNCi0JICogbWV0YWNo
YXJhY3RlcnMgaW4gaXQgd2Ugd2FudCB0byBxdW90ZSBpdCwgYmVjYXVzZSB3
ZSBkb24ndCB3YW50DQotCSAqIHRoZSBzaGVsbCB0byBpbnRlcnByZXQgdGhl
bS4gSG93ZXZlciwgaWYgdGhlIHVzZXIgaGFzIGFscmVhZHkNCi0JICogcXVv
dGVkIHRoZSBVUkwgaW4gdGhlIGNvbW1hbmQgZGVmaW5pdGlvbiB3ZSBkb24n
dCB3YW50IHRvIHF1b3RlDQotCSAqIGFnYWluLiBTbywgd2UgdHJ5IHRvIHNl
ZSBpZiB0aGVyZSBhcmUgYSBwYWlyIG9mIHVuZXNjYXBlZA0KLQkgKiBxdW90
ZXMgc3Vycm91bmRpbmcgX1VSTF8gaW4gdGhlIGNtZC4NCi0JICogSWYgd2Ug
cXVvdGUgd2hlbiB3ZSBzaG91bGRuJ3QgaGF2ZSwgaXQnbGwgY2F1c2UgaXQg
bm90IHRvIHdvcmsuDQotCSAqIElmIHdlIGRvbid0IHF1b3RlIHdoZW4gd2Ug
c2hvdWxkIGhhdmUsIGl0J3MgYSBwb3NzaWJsZSBzZWN1cml0eQ0KLQkgKiBw
cm9ibGVtIChhbmQgaXQgc3RpbGwgd29uJ3Qgd29yaykuDQotCSAqDQotCSAq
IEluIGJhc2ggYW5kIGtzaCAkKCBleGVjdXRlcyBhIGNvbW1hbmQsIHNvIHdl
IHVzZSBzaW5nbGUgcXVvdGVzDQotCSAqIGluc3RlYWQgb2YgZG91YmxlIHF1
b3RlcyB0byBkbyBvdXIgcXVvdGluZy4gSWYgY29uZmlndXJlZCBjb21tYW5k
DQotCSAqIGlzIGRvdWJsZS1xdW90ZWQgd2UgY2hhbmdlIHRoYXQgdG8gc2lu
Z2xlIHF1b3Rlcy4NCisJICogUmF0aGVyIHRoYW4gdHJ5aW5nIHRvIGJlIHNt
YXJ0IGFib3V0IHF1b3RpbmcgYW5kDQorCSAqIG1ldGEtY2hhcmFjdGVycywg
anVzdCBzdHVmZiB0aGUgVVJMIGludG8gYW4gZW52aXJvbm1lbnQNCisJICog
dmFyaWFibGUgYW5kIG1ha2UgdGhlIGhhbmRsZXIgdXNlIGl0Lg0KIAkgKi8N
Ci0jaWZkZWYJX1dJTkRPV1MNCi0JaWYoKnRvb2xwID09ICcqJyB8fCAoKnRv
b2xwID09ICdcIicgJiYgKih0b29scCsxKSA9PSAnKicpKQ0KLQkgIHF1b3Rh
YmxlID0gMDsJCS8qIG5ldmVyIHF1b3RlICovDQotCWVsc2UNCi0jZW5kaWYN
Ci0JaWYoc3RycGJyayhoYW5kbGUtPmgudXJsLnBhdGgsICImKjs8Pj9bfH4k
IikgIT0gTlVMTCl7ICAvKiBzcGVjaWFscz8gKi8NCi0JICAgIGlmKChwID0g
c3Ryc3RyKHRvb2xwLCAiX1VSTF8iKSkgIT0gTlVMTCl7ICAvKiBleHBsaWNp
dCBhcmc/ICovDQotCQlpbnQgaW5fcXVvdGUgPSAwOw0KLQ0KLQkJLyogc2Vl
IHdoZXRoZXIgb3Igbm90IGl0IGlzIGFscmVhZHkgcXVvdGVkICovDQotDQot
CSAgICAgICAgcXVvdGFibGUgPSAxOw0KLQ0KLQkJZm9yKHEgPSB0b29scDsg
cSA8IHA7IHErKykNCi0JCSAgaWYoKnEgPT0gJ1wnJyAmJiAocSA9PSB0b29s
cCB8fCBxWy0xXSAhPSAnXFwnKSkNCi0JCSAgICBpbl9xdW90ZSA9IDEgLSBp
bl9xdW90ZTsNCi0JCQ0KLQkJaWYoaW5fcXVvdGUpew0KLQkJICAgIGZvcihx
ID0gcCs1OyAqcTsgcSsrKQ0KLQkJICAgICAgaWYoKnEgPT0gJ1wnJyAmJiBx
Wy0xXSAhPSAnXFwnKXsNCi0JCQkgIC8qIGFscmVhZHkgc2luZ2xlIHF1b3Rl
ZCwgbGVhdmUgaXQgYWxvbmUgKi8NCi0JCQkgIHF1b3RhYmxlID0gMDsNCi0J
CQkgIGJyZWFrOw0KLQkJICAgICAgfQ0KLQkJfQ0KLQ0KLQkJaWYocXVvdGFi
bGUpew0KLQkJICAgIGluX3F1b3RlID0gMDsNCi0JCSAgICBmb3IocSA9IHRv
b2xwOyBxIDwgcDsgcSsrKQ0KLQkJICAgICAgaWYoKnEgPT0gJ1wiJyAmJiAo
cSA9PSB0b29scCB8fCBxWy0xXSAhPSAnXFwnKSl7DQotCQkJICBpbl9xdW90
ZSA9IDEgLSBpbl9xdW90ZTsNCi0JCQkgIGlmKGluX3F1b3RlKQ0KLQkJCSAg
ICBsZWZ0X2RvdWJsZV9xdW90ZSA9IHE7DQotCQkgICAgICB9DQotCQkgICAg
DQotCQkgICAgaWYoaW5fcXVvdGUpew0KLQkJCWZvcihxID0gcCs1OyAqcTsg
cSsrKQ0KLQkJCSAgaWYoKnEgPT0gJ1wiJyAmJiBxWy0xXSAhPSAnXFwnKXsN
Ci0JCQkgICAgICAvKiB3ZSdsbCByZXBsYWNlIGRvdWJsZSBxdW90ZXMgd2l0
aCBzaW5nbGVzICovDQotCQkJICAgICAgZG91YmxlX3F1b3RlZCA9IDE7DQot
CQkJICAgICAgcmlnaHRfZG91YmxlX3F1b3RlID0gcTsNCi0JCQkgICAgICBi
cmVhazsNCi0JCQkgIH0NCi0JCSAgICB9DQotCQl9DQotCSAgICB9DQotCSAg
ICBlbHNlDQotCSAgICAgIHF1b3RhYmxlID0gMTsNCi0JfQ0KLQllbHNlDQot
CSAgcXVvdGFibGUgPSAwOw0KKwlzZXRlbnYoIlVSTCIsIGhhbmRsZS0+aC51
cmwucGF0aCwgMSk7DQorI2RlZmluZSBfVVJMX0VYUEFOU0lPTgkiXCIkVVJM
XCIiDQogDQogCS8qIEJ1aWxkIHRoZSBjb21tYW5kICovDQogCWNtZHAgPSBj
bWQ7DQotCXdoaWxlKDEpDQotCSAgaWYoKCEqdG9vbHAgJiYgIWNvcGllZCkN
Ci0JICAgICB8fCAoKnRvb2xwID09ICdfJyAmJiAhc3RybmNtcCh0b29scCAr
IDEsICJVUkxfIiwgNCkpKXsNCisJZW5kcCA9IGNtZCArIHNpemVvZihjbWQp
IC0gMTsNCisJZG8gew0KKwkgIGlmIChjbWRwICsgMSA+IGVuZHApDQorCSAg
ICAgIHJldHVybih1cmxfbGF1bmNoX3Rvb19sb25nKHJ2KSk7DQogDQorCSAg
aWYgKCEqdG9vbHAgJiYgIWNvcGllZCkgew0KIAkgICAgICAvKiBpbXBsaWNp
dCBfVVJMXyBhdCBlbmQgKi8NCi0JICAgICAgaWYoISp0b29scCl7DQotCQkg
ICpjbWRwKysgPSAnICc7DQotCQkgIGxlbisrOw0KLQkgICAgICB9DQotDQot
CSAgICAgIC8qIGFkZCBzaW5nbGUgcXVvdGVzICovDQotCSAgICAgIGlmKHF1
b3RhYmxlICYmICFkb3VibGVfcXVvdGVkKXsNCi0JCSAgKmNtZHArKyA9ICdc
Jyc7DQotCQkgIGxlbiArPSAyOw0KLQkgICAgICB9DQorCSAgICAgICplbmRw
KysgPSAnICc7DQorCSAgICAgIHRvb2xwID0gIl9VUkxfIjsNCisJICB9DQor
DQorCSAgaWYgKHN0cm5jbXAodG9vbHAsICJfVVJMXyIsIDUpICE9IDApIHsN
CisJICAgICAgKmNtZHArKyA9ICp0b29scCsrOw0KKwkgIH0gZWxzZSB7DQor
CSAgICAgIHRvb2xwICs9IDU7IC8qIGxlbmd0aCBvZiBfVVJMXyAqLw0KIA0K
LQkgICAgICBpZigobGVuICs9IGhsZW4pID4gVVJMX01BWF9MQVVOQ0gpDQor
CSAgICAgIGlmIChjbWRwICsgc2l6ZW9mKF9VUkxfRVhQQU5TSU9OKSAtIDEg
PiBlbmRwKQ0KIAkJcmV0dXJuKHVybF9sYXVuY2hfdG9vX2xvbmcocnYpKTsN
CiANCisJICAgICAgc3N0cmNweSgmY21kcCwgX1VSTF9FWFBBTlNJT04pOw0K
IAkgICAgICBjb3BpZWQgPSAxOw0KLQkgICAgICBzc3RyY3B5KCZjbWRwLCBo
YW5kbGUtPmgudXJsLnBhdGgpOw0KLQkgICAgICBpZihxdW90YWJsZSAmJiAh
ZG91YmxlX3F1b3RlZCl7DQotCQkgICpjbWRwKysgPSAnXCcnOw0KLQkJICAq
Y21kcCA9ICdcMCc7DQotCSAgICAgIH0NCi0NCi0JICAgICAgaWYoKnRvb2xw
KQ0KLQkJdG9vbHAgKz0gNTsJCS8qIGxlbmd0aCBvZiAiX1VSTF8iICovDQot
CSAgfQ0KLQkgIGVsc2V7DQotCSAgICAgIC8qIHJlcGxhY2UgZG91YmxlIHF1
b3RlcyB3aXRoIHNpbmdsZSBxdW90ZXMgKi8NCi0JICAgICAgaWYoZG91Ymxl
X3F1b3RlZCAmJg0KLQkJICh0b29scCA9PSBsZWZ0X2RvdWJsZV9xdW90ZSB8
fCB0b29scCA9PSByaWdodF9kb3VibGVfcXVvdGUpKXsNCi0JCSAgKmNtZHAr
KyA9ICdcJyc7DQotCQkgIHRvb2xwKys7DQotCSAgICAgIH0NCi0JICAgICAg
ZWxzZSBpZighKCpjbWRwKysgPSAqdG9vbHArKykpDQotCQlicmVhazsNCiAJ
ICB9DQorCX0gd2hpbGUgKCp0b29scCk7DQogCQ0KIAltb2RlID0gUElQRV9S
RVNFVCB8IFBJUEVfVVNFUiA7DQogCWlmKHN5c3BpcGUgPSBvcGVuX3N5c3Rl
bV9waXBlKGNtZCwgTlVMTCwgTlVMTCwgbW9kZSwgMCkpew0K
--168455424-1305060506-1010408465=:22932--
