[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Groff] FW: ISS Security Advisory: GNU Groff utilities read untruste
|
From: |
Solar Designer |
|
Subject: |
Re: [Groff] FW: ISS Security Advisory: GNU Groff utilities read untrusted com mands from current working directory |
|
Date: |
Tue, 21 Nov 2000 16:05:35 +0300 |
|
User-agent: |
Mutt/1.2.5i |
> I've now done the following: For searching and scanning troffrc and
> troffrc-end, the home directory is used instead of the current
> directory for the default path. Similarly, the current directory in
> the font path has been replaced with the home directory.
What about making this ~/.groff? Too many files are looked for in
the home directory now, so I'm afraid that it may hit some totally
unrelated file of a matching name. (This isn't a security issue.)
> People can easily add the current directory again (if ever necessary)
> either with using -M (resp. -F) or setting GROFF_TMAC_PATH or
> GROFF_FONT_PATH.
>
> I've just committed the changes into the CVS. Please test and report
> whether this is solution is sufficient to solve this security problem.
Thanks for the opportunity.
This is indeed a lot better, but we aren't there yet:
12395 open("./andoc.tmac", O_RDONLY) = -1 ENOENT (No such file or directory)
12395 open("./an-old.tmac", O_RDONLY) = -1 ENOENT (No such file or directory)
12395 open("./man.local", O_RDONLY) = -1 ENOENT (No such file or directory)
The "./andoc.tmac" is due to "-mandoc" when running from man and
seems to be safe (man does a "cd /usr/man" before this).
3076 open("./eqnrc", O_RDONLY) = -1 ENOENT (No such file or directory)
3077 open("./andoc.tmac", O_RDONLY) = -1 ENOENT (No such file or directory)
In this case, "-mandoc" is passed from lesspipe.sh; I've changed my
version to do a "cd /" before running groff, but many distributions
include the dangerous versions. Maybe we could restrict -m as well?
--- groff-1.16.1/src/preproc/eqn/main.cc.orig Tue Nov 21 15:46:09 2000
+++ groff-1.16.1/src/preproc/eqn/main.cc Tue Nov 21 15:46:26 2000
@@ -329,7 +329,7 @@
device, program_name);
if (load_startup_file) {
char *path;
- FILE *fp = macro_path.open_file(STARTUP_FILE, &path);
+ FILE *fp = safer_macro_path.open_file(STARTUP_FILE, &path);
if (fp) {
do_file(fp, path);
fclose(fp);
--- groff-1.16.1/src/roff/troff/input.cc.orig Tue Nov 21 14:36:25 2000
+++ groff-1.16.1/src/roff/troff/input.cc Tue Nov 21 14:47:30 2000
@@ -5691,6 +5691,8 @@
while (!tok.newline() && !tok.eof())
tok.next();
char *path;
+ // restrict path for security reasons
+ mac_path = &safer_macro_path;
FILE *fp = mac_path->open_file(nm.contents(), &path);
// .mso doesn't (and cannot) go through open_mac_file, so we
// need to do it here manually: If we have tmac.FOOBAR, try
@@ -5721,6 +5723,7 @@
}
else
error("can't find macro file `%1'", nm.contents());
+ mac_path = ¯o_path;
tok.next();
}
}
--- groff-1.16.1/src/roff/troff/env.cc.orig Tue Nov 21 14:36:25 2000
+++ groff-1.16.1/src/roff/troff/env.cc Tue Nov 21 14:24:43 2000
@@ -3113,7 +3113,10 @@
int num[WORD_MAX+1];
errno = 0;
char *path = 0;
+ // restrict path for security reasons
+ mac_path = &safer_macro_path;
FILE *fp = mac_path->open_file(name, &path);
+ mac_path = ¯o_path;
if (fp == 0) {
error("can't find hyphenation patterns file `%1'", name);
return;
--
/sd