Ubuntu
xdg-utils package

xdg-utils incorrectly parses output, causing wrong output

Bug #335643 reported by Matthew Flaschen on 2009-02-27

This bug affects 1 person

Affects		Status	Importance	Assigned to
	Xdg-utils	Confirmed	Medium	freedesktop-bugs #21018
	xdg-utils (Ubuntu)	Triaged	Low	Unassigned
Declined for Hardy by Sebastien Bacher

Bug Description

Binary package hint: xdg-utils

xdg-mime fails to safely parse output from kfile, gnomevfs-info, and file -i. This allows a carefully crafted filename to be used to output arbitrary text. An example script is provided as an attachment. It creates a single file, then runs xdg-open three times, simulating three desktop environments (KDE, GNOME, other).

The script helpfully notes that there has been a problem and suggests a possible solution... Note that xdg-mime is used directly by real applications, so this vulnerability may have unforeseen results.

I plan to provide candidate patches shortly.

Tags:

Revision history for this message

Matthew Flaschen (matthew-flaschen) wrote on 2009-02-27:

Example exploit of vulnerability Edit (524 bytes, text/x-sh)

Revision history for this message

Matthew Flaschen (matthew-flaschen) wrote on 2009-03-04:

Fixes bugs and creates test. Edit (2.2 KiB, text/plain)

Patches is attached. This fixes the bug for all three methods and moves the exploit to the test directory.

Revision history for this message

dforsi (daniele-forsi) wrote on 2009-03-17:

Looking at the attachments in this bug report, I noticed that an attachment was not flagged as a patch. A patch contains changes to an Ubuntu package that will resolve a bug and this attachment is one! Subsequently, I've checked the patch flag for it. In the future when submitting patches please use the patch checkbox as there are some Launchpad searches that use this feature. You can learn more about the patch workflow at https://wiki.ubuntu.com/Bugs/Patches.

Revision history for this message

In freedesktop.org Bugzilla #21018, Jamie Strandboge (jdstrand) wrote on 2009-04-02:

This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:

$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype /tmp/foo\:runme
runme

This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.

xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-02: Re: xdg-utils incorrectly parses output, allowing arbitrary text injection

Unmarking as security as it appears that at worst xdg-mime will simply echo back (part of) the filename and though while confusing and certainly a bug, it does not cross privilege boundaries or cause data loss. Presumably the user will recognize the echoed back text as the filename of the file that was queried. Filed as upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=21018.

security vulnerability:	yes → no
Changed in xdg-utils (Ubuntu):
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2009-04-02

summary:

- xdg-utils incorrectly parses output, allowing arbitrary text injection
+ xdg-utils incorrectly parses output, causing wrong output

Bug Watch Updater (bug-watch-updater) on 2009-04-02

Changed in xdg-utils:
status:	Unknown → Confirmed

Marc Deslauriers (mdeslaur) on 2009-04-08

Changed in xdg-utils (Ubuntu):
importance:	Undecided → Low

Revision history for this message

Matthew Flaschen (matthew-flaschen) wrote on 2009-04-09:

"Presumably the user will recognize the echoed back text as the filename of the file that was queried."

You're assuming that a user is always using xdg-utils directly. In fact, they are used by programs, in which case a typical user is not necessarily going to know the original filename was specially constructed.

Revision history for this message

In freedesktop.org Bugzilla #21018, Andrew Starr-Bochicchio (andrewsomething) wrote on 2010-07-08:

Created an attachment (id=36854)
Patch from Ubuntu bug

Andrew Starr-Bochicchio (andrewsomething) on 2010-07-08

tags:

added: patch-forwarded-upstream

Bug Watch Updater (bug-watch-updater) on 2010-09-13

Changed in xdg-utils:
importance:	Unknown → Medium

Bug Watch Updater (bug-watch-updater) on 2011-01-25

Changed in xdg-utils:
importance:	Medium → Unknown

Bug Watch Updater (bug-watch-updater) on 2011-02-03

Changed in xdg-utils:
importance:	Unknown → Medium

Sebastien Bacher (seb128) on 2011-03-11

Changed in xdg-utils (Ubuntu):
status:	Confirmed → Triaged

Revision history for this message

In freedesktop.org Bugzilla #21018, Dunric29a (dunric29a) wrote on 2013-01-27:

I can confirm the issue is still not fixed in xdg-utils 1.1.0, git snapshot from 2012-10-08.
Attached patch does work for me.
Please update in upstream.