#16090 – insecure startup script: would execute any code from the current dir

Bug 16090 - insecure startup script: would execute any code from the current dir

Summary: insecure startup script: would execute any code from the current dir

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	skipstone (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P2 major
Assignee:	Michael Shigorin
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-06-19 03:41 MSD by Ivan Zakharyaschev
Modified:	2008-07-31 20:46 MSD (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ivan Zakharyaschev 2008-06-19 03:41:12 MSD

BTW, the thing you quoted must be terrible! For the security. 

> --- src/skipstone.in
> if [ -f ./skipstone-bin ]; then
>         exec ./skipstone-bin $@
> else

Welcome, virus! (or just a thoughtless error)

$ cat > skipstone-bin
echo Hi i am a virus
$ chmod a+x skipstone-bin
$ skipstone 
Hi i am a virus
$ rpm -qf $(which skipstone)
skipstone-1.0.0-alt3
$ 

I think "exec ./skipstone-bin" shouldn't be there. And IMO updates for the stable branches are desirable.

Comment 1 Michael Shigorin 2008-06-19 21:23:00 MSD

I considered removing that but frankly didn't really bother.  It's obviously crafted for running skipstone from build tree.

If one has arbitrary code in locations which might be cwd when running stuff like gecko-based browsers, one usually has two _other_ problems racing for insecurity championship:

- buggy gecko (plus NPAPI plugins like flash)
- the path by which that code appeared on the system in the first place

OK, I'll fix it -- but if you're really interested, I'd gladly hand the package so you could (co)maintain it :-)

Comment 2 Michael Shigorin 2008-06-19 21:30:53 MSD

Fixed in 1.0.0-alt4.  I won't do updates though, it's not on my "actively supported" package list (there was one published in devel@ shortly before Server 4.0.0 release) and there are really lots of more important things deserving attention in probably each one of 200 packages I currently (co)maintain...

Comment 3 Ivan Zakharyaschev 2008-06-24 15:31:00 MSD

Thanks for the fix!

(In reply to comment #1)

> - the path by which that code appeared on the system in the first place

Perhaps, by lack of attention: someone sent you a .tar, and it was there.

> OK, I'll fix it -- but if you're really interested, I'd gladly hand the package so you could (co)maintain it :-)

No, I'm not quite interested, I just reported problems I happened to notice, because I thought it would be better to report any problem I notice than to keep silent.

Comment 4 Michael Shigorin 2008-06-24 16:29:47 MSD

(In reply to comment #3)
> > - the path by which that code appeared on the system in the first place
> Perhaps, by lack of attention: someone sent you a .tar, and it was there.
Then the problem is between the chair and the keyboard as it happens ;-)

> I just reported problems I happened to notice, because I thought it 
> would be better to report any problem I notice than to keep silent.
Уважаю.

Comment 5 Ivan Zakharyaschev 2008-07-31 20:46:51 MSD

[JT]

(In reply to comment #4)
> (In reply to comment #3)
> > > - the path by which that code appeared on the system in the first place
> > Perhaps, by lack of attention: someone sent you a .tar, and it was there.
> Then the problem is between the chair and the keyboard as it happens ;-)

Not completely true: a normal UNIX user shouldn't expect that executables from the working directory are executed.

This feature was perhaps appropriate for skipstone developers (who understood the internals), but completely inappropriate for any other user, who just doesn't think about this possibility when working.