Bug 16090

Summary: insecure startup script: would execute any code from the current dir
Product: Sisyphus Reporter: Ivan Zakharyaschev <imz>
Component: skipstoneAssignee: Michael Shigorin <mike>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P2 CC: mike
Version: unstable   
Hardware: all   
OS: Linux   

Description Ivan Zakharyaschev 2008-06-19 03:41:12 MSD 
BTW, the thing you quoted must be terrible! For the security. 

> --- src/skipstone.in
> if [ -f ./skipstone-bin ]; then
>         exec ./skipstone-bin $@
> else

Welcome, virus! (or just a thoughtless error)

$ cat > skipstone-bin
echo Hi i am a virus
$ chmod a+x skipstone-bin
$ skipstone 
Hi i am a virus
$ rpm -qf $(which skipstone)
skipstone-1.0.0-alt3
$ 

I think "exec ./skipstone-bin" shouldn't be there. And IMO updates for the stable branches are desirable.
Comment 1 Michael Shigorin 2008-06-19 21:23:00 MSD 
I considered removing that but frankly didn't really bother.  It's obviously crafted for running skipstone from build tree.

If one has arbitrary code in locations which might be cwd when running stuff like gecko-based browsers, one usually has two _other_ problems racing for insecurity championship:

- buggy gecko (plus NPAPI plugins like flash)
- the path by which that code appeared on the system in the first place

OK, I'll fix it -- but if you're really interested, I'd gladly hand the package so you could (co)maintain it :-)
Comment 2 Michael Shigorin 2008-06-19 21:30:53 MSD 
Fixed in 1.0.0-alt4.  I won't do updates though, it's not on my "actively supported" package list (there was one published in devel@ shortly before Server 4.0.0 release) and there are really lots of more important things deserving attention in probably each one of 200 packages I currently (co)maintain...
Comment 3 Ivan Zakharyaschev 2008-06-24 15:31:00 MSD 
Thanks for the fix!

(In reply to comment #1)

> - the path by which that code appeared on the system in the first place

Perhaps, by lack of attention: someone sent you a .tar, and it was there.

> OK, I'll fix it -- but if you're really interested, I'd gladly hand the package so you could (co)maintain it :-)

No, I'm not quite interested, I just reported problems I happened to notice, because I thought it would be better to report any problem I notice than to keep silent.
Comment 4 Michael Shigorin 2008-06-24 16:29:47 MSD 
(In reply to comment #3)
> > - the path by which that code appeared on the system in the first place
> Perhaps, by lack of attention: someone sent you a .tar, and it was there.
Then the problem is between the chair and the keyboard as it happens ;-)

> I just reported problems I happened to notice, because I thought it 
> would be better to report any problem I notice than to keep silent.
Уважаю.
Comment 5 Ivan Zakharyaschev 2008-07-31 20:46:51 MSD 
[JT]

(In reply to comment #4)
> (In reply to comment #3)
> > > - the path by which that code appeared on the system in the first place
> > Perhaps, by lack of attention: someone sent you a .tar, and it was there.
> Then the problem is between the chair and the keyboard as it happens ;-)

Not completely true: a normal UNIX user shouldn't expect that executables from the working directory are executed.

This feature was perhaps appropriate for skipstone developers (who understood the internals), but completely inappropriate for any other user, who just doesn't think about this possibility when working.