Summary: | wordexp fails to honour WRDE_NOCMD (CVE-2014-7817) | ||
---|---|---|---|
Product: | glibc | Reporter: | Carlos O'Donell <carlos> |
Component: | libc | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | drepper.fsp, fweimer |
Priority: | P2 | Flags: | fweimer:
security+
|
Version: | 2.21 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Carlos O'Donell
2014-11-19 15:59:31 UTC
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for command substitution when the applicaiton did not request it. The implementation now checks WRDE_NOCMD immediately before executing the shell and returns the error WRDE_CMDSUB as expected. Fixed on trunk. commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c Author: Carlos O'Donell <carlos@redhat.com> Date: Wed Nov 19 11:44:12 2014 -0500 CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed. We expand the testsuite and add 3 new regression tests of roughly the same form but with a couple of nested levels. On top of the 3 new tests we add fork validation to the WRDE_NOCMD testing. If any forks are detected during the execution of a wordexp() call with WRDE_NOCMD, the test is marked as failed. This is slightly heuristic since vfork might be used in the future, but it provides a higher level of assurance that no shells were executed as part of command substitution with WRDE_NOCMD in effect. In addition it doesn't require libpthread or libdl, instead we use the public implementation namespace function __register_atfork (already part of the public ABI for libpthread). Tested on x86_64 with no regressions. |