ports/129981: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Dec 27 21:00:16 UTC 2008
>Number: 129981
>Category: ports
>Synopsis: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 27 21:00:15 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
Remote command execution and insecure temporary file usage was
discovered in the verlihub peer-to-peer software.
>How-To-Repeat:
http://milw0rm.com/exploits/7183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706
>Fix:
The following patch should fix the issue:
--- net-p2p-verlihub-fix-CVE-2008-5706.diff begins here ---
>From 2b909689e519036965dde9184ab7faa93c53d67b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sat, 27 Dec 2008 23:33:49 +0300
Fix insecure temporary file usage and possible arbitrary command
execution in verlihub. Based on the advisory from v4lkyrius at gmail.com,
http://milw0rm.com/exploits/7183
but I redone almost everything, because original patch was incorrectly
using results of std::string.c_str() and was stripping special
characters from the whole command. We should sanitize only user's
input; configuration file directives should be passed "as-is".
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
net-p2p/verlihub/Makefile | 2 +-
net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 ++++++++++++++++++++++++++++
2 files changed, 83 insertions(+), 1 deletions(-)
create mode 100644 net-p2p/verlihub/files/patch-CVE-2008-5706
diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile
index 8ef0f5b..d6e86ad 100644
--- a/net-p2p/verlihub/Makefile
+++ b/net-p2p/verlihub/Makefile
@@ -7,7 +7,7 @@
PORTNAME= verlihub
DISTVERSION= 0.9.8d-RC2
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= net-p2p
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706
new file mode 100644
index 0000000..61dc4ca
--- /dev/null
+++ b/net-p2p/verlihub/files/patch-CVE-2008-5706
@@ -0,0 +1,82 @@
+--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400
++++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300
+@@ -7,6 +7,9 @@
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ ***************************************************************************/
++#include <errno.h>
++#include <stdio.h>
++#include <string.h>
+ #include "cserverdc.h"
+ #include "ctrigger.h"
+ #include "cconndc.h"
+@@ -44,16 +47,33 @@
+ {
+ string buf, filename, sender;
+ string par1, end1, parall;
++ string cmdl;
++
+ if (conn && conn->mpUser)
+ {
++ cmd_line >> cmdl;
++ /* Sanitise user input if we're going to exec anything */
++ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
++ string cleaned = string();
++ const string toclean = string(";\"'\\`:!${}[]&><|~/");
++
++ for (string::iterator i = cmdl.begin();
++ i < cmdl.end();
++ i++) {
++ if (toclean.find(*i) == string::npos)
++ cleaned.append(1, *i);
++ }
++ cmdl = cleaned;
++ }
++
+ int uclass = conn->mpUser->mClass;
+ if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
+
+- if(cmd_line.str().size() > mCommand.size()) {
+- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
++ if(cmdl.size() > mCommand.size()) {
++ parall.assign(cmdl,mCommand.size()+1,string::npos);
+ }
+- cmd_line >> par1;
+- end1 = cmd_line.str();
++ par1 = cmdl;
++ end1 = cmdl;
+
+ sender = server.mC.hub_security;
+ if (mSendAs.size()) sender = mSendAs;
+@@ -104,14 +124,25 @@
+
+ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+ string command(buf);
+- filename = server.mConfigBaseDir;
+- filename.append("/tmp/trigger.tmp");
+- command.append(" > ");
+- command.append(filename);
++ char buffer[1024];
++ FILE *stream;
++
+ cout << command << endl;
+- system(command.c_str());
+ buf = "";
+- if (!LoadFileInString(filename,buf)) return 0;
++ stream = popen(command.c_str(), "r");
++ if (stream == NULL) {
++ cout << strerror(errno) << std::endl;
++ return 0;
++ } else {
++ while (fgets(buffer, sizeof(buffer),
++ stream) != NULL)
++ buf.append(buffer);
++ if (pclose(stream) == -1) {
++ cout << strerror(errno) <<
++ std::endl;
++ return 0;
++ }
++ }
+ }
+
+ // @CHANGED by dReiska +BEGINS+
--
1.6.0.5
--- net-p2p-verlihub-fix-CVE-2008-5706.diff ends here ---
I had tested the basic compilability and checked patch sanity, but I was
not able to test in for the real verlihub server. So, it will be great
if maintainer will be able to do it. Cited advisory from MilW0rm should
be the good guide for the tests.
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="4b2c603e-d456-11dd-84ec-001fc66e7203">
<topic>verlihub -- insecure temporary file usage and arbitrary command execution</topic>
<affects>
<package>
<name>verlihub</name>
<range><lt>0.9.8.d.r2_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Anonymous security researcher reports:</p>
<blockquote
cite="http://milw0rm.com/exploits/7183">
<p>Verlihub does not sanitize user input passed to the shell
via its "trigger" mechanism.</p>
</blockquote>
<p>Entry for CVE-2008-5706 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706">
<p>The cTrigger::DoIt function in src/ctrigger.cpp in the
trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and
earlier allows local users to overwrite arbitrary files via a
symlink attack on the /tmp/trigger.tmp temporary file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5706</cvename>
<url>http://milw0rm.com/exploits/7183</url>
</references>
<dates>
<discovery>22-11-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list