bin/114548: Possibly security risk in pkg_add(1) -- doesn't add packages properly from stdin

Garrett Cooper gcooper at FreeBSD.org
Fri Jul 13 06:30:05 UTC 2007 

>Number:         114548
>Category:       bin
>Synopsis:       Possibly security risk in pkg_add(1) -- doesn't add packages properly from stdin
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 13 06:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Garrett Cooper
>Release:        7.0-CURRENT i386
>Organization:
FreeBSD SoC'ers
>Environment:
FreeBSD tanaka 7.0-CURRENT FreeBSD 7.0-CURRENT #2: Wed Jun 08:39:04 PDT 2007     root at tanaka:/usr/obj/usr/src/sys/TANAKA   i386
>Description:
	I've been hacking the pkg_install code for my SoC project, and have inserted a number of debug statements in my code to determine why the number of calls in the code I produced quadrupled over the amount in the plist_cmd section. I inserted a debug statement to determine what commands are being parsed and noticed that many of my other debug statements are being interpreted as commands!

        Looking through the code a bit I believe I've found the issue... it's dealing with an assumption that the packing list comes from stdin, when not provided in add/perform.c's pkg_do(..) function. I haven't
determined with absolution if this is the root cause of the issue, but I'm over 80% certain that it is.

        This concerns me because if it is in fact the problem then a malicious developer could re-craft the package tools to do something that the original developers didn't intend.

        I am looking into solving the problem by using libarchive with a revised input format instead of stdin.
>How-To-Repeat:
1. Compile a copy of my latest perforce check-in to pkg_install. 
2. Uncomment the following line in lib/plist.c (should be around 312): 

        printf("COMMAND STRING: %s\nCMD: %s\nCP: %s\nSP: %s\n", s, cmd, cp, sp); 

3. Run '/usr/bin/time -o out.log pkg_add -vf {package} |& tee out.log' in tcsh (in order to capture all output).
4. Examine out.log for entries like:

COMMAND STRING: add_plist) Difference: 0.00000223500000000000 secs
CMD: add_plist)
CP:
SP: Difference: 0.00000223500000000000 secs

        There will be a large number of duplicate entries like this that are full of debug data. The debug statements are being interpreted as possible commands, but thankfully their status gets returned as PLIST_FAIL because they don't match any of the available commands. However, if the messages were crafted differently it would be a potential problem.
>Fix:
Theories and suggestions discussed.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list