Accepting request 554570 from home:cbosdonnat:branches:Virtualization

- Fix potential shell command injection.
  8ba17481-quote-save-dir-before-passing-to-shell.patch
  CVE-2017-15108 (bsc#1070724)

OBS-URL: https://build.opensuse.org/request/show/554570
OBS-URL: https://build.opensuse.org/package/show/Virtualization/spice-vdagent?expand=0&rev=24
This commit is contained in:
Cédric Bosdonnat 2017-12-05 16:35:15 +00:00 committed by Git OBS Bridge
parent 089905c495
commit 106013604e
3 changed files with 57 additions and 0 deletions

View File

@ -0,0 +1,48 @@
From 8ba174816d245757e743e636df357910e1d5eb61 Mon Sep 17 00:00:00 2001
From: Jonathon Jongsma <jjongsma@redhat.com>
Date: Wed, 25 Oct 2017 10:33:11 -0500
Subject: [PATCH] Quote the save directory before passing to shell
Thanks to a report from Seth Arnold <seth.arnold@canonial.com>:
- vdagent_file_xfers_data() does not escape xfers->save_dir before giving
it to the shell
- vdagent_file_xfers_data() does not check snprintf() return code; a
too-long xfers->save_dir could cause the & or ' or any number of other
characters to go missing.
To fix these issues, we use g_spawn_async(). This avoids the need to
quote the filename and also avoids the snprintf issue.
In the case that the spawn fails, we also print a warning to the syslog
now.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
---
src/vdagent/file-xfers.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
Index: spice-vdagent-0.17.0/src/vdagent-file-xfers.c
===================================================================
--- spice-vdagent-0.17.0.orig/src/vdagent-file-xfers.c
+++ spice-vdagent-0.17.0/src/vdagent-file-xfers.c
@@ -293,9 +293,16 @@ void vdagent_file_xfers_data(struct vdag
if (xfers->open_save_dir &&
task->file_xfer_nr == task->file_xfer_total &&
g_hash_table_size(xfers->xfers) == 1) {
- char buf[PATH_MAX];
- snprintf(buf, PATH_MAX, "xdg-open '%s'&", xfers->save_dir);
- status = system(buf);
+ GError *error = NULL;
+ gchar *argv[] = { "xdg-open", xfers->save_dir, NULL };
+ if (!g_spawn_async(NULL, argv, NULL,
+ G_SPAWN_SEARCH_PATH,
+ NULL, NULL, NULL, &error)) {
+ syslog(LOG_WARNING,
+ "file-xfer: failed to open save directory: %s",
+ error->message);
+ g_error_free(error);
+ }
}
status = VD_AGENT_FILE_XFER_STATUS_SUCCESS;
} else {

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Dec 5 16:12:24 UTC 2017 - cbosdonnat@suse.com
- Fix potential shell command injection.
8ba17481-quote-save-dir-before-passing-to-shell.patch
CVE-2017-15108 (bsc#1070724)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 27 12:20:36 UTC 2017 - msuchanek@suse.com Thu Jul 27 12:20:36 UTC 2017 - msuchanek@suse.com

View File

@ -27,6 +27,7 @@ Url: http://spice-space.org/
Source0: http://spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Source0: http://spice-space.org/download/releases/%{name}-%{version}.tar.bz2
Patch0: spice-vdagent-var_run.patch Patch0: spice-vdagent-var_run.patch
Patch1: vdagentd-do-endian-swapping.patch Patch1: vdagentd-do-endian-swapping.patch
Patch2: 8ba17481-quote-save-dir-before-passing-to-shell.patch
BuildRequires: alsa-devel >= 1.0.22 BuildRequires: alsa-devel >= 1.0.22
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
BuildRequires: glib2-devel BuildRequires: glib2-devel
@ -59,6 +60,7 @@ Features:
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%build %build
%configure \ %configure \