rpm/spice-vdagent
SHA256
1
0
Fork 0
forked from pool/spice-vdagent
Code Pull Requests Activity
spice-vdagent/8ba17481-quote-save-dir-before-passing-to-shell.patch
Cédric Bosdonnat 106013604e Accepting request 554570 from home:cbosdonnat:branches:Virtualization 
- Fix potential shell command injection.
  8ba17481-quote-save-dir-before-passing-to-shell.patch
  CVE-2017-15108 (bsc#1070724)

OBS-URL: https://build.opensuse.org/request/show/554570
OBS-URL: https://build.opensuse.org/package/show/Virtualization/spice-vdagent?expand=0&rev=24
2017-12-05 16:35:15 +00:00

49 lines
2.2 KiB
Diff
Raw Blame History

From 8ba174816d245757e743e636df357910e1d5eb61 Mon Sep 17 00:00:00 2001
From: Jonathon Jongsma <jjongsma@redhat.com>
Date: Wed, 25 Oct 2017 10:33:11 -0500
Subject: [PATCH] Quote the save directory before passing to shell
Thanks to a report from Seth Arnold <seth.arnold@canonial.com>:
- vdagent_file_xfers_data() does not escape xfers->save_dir before giving
it to the shell
- vdagent_file_xfers_data() does not check snprintf() return code; a
too-long xfers->save_dir could cause the & or ' or any number of other
characters to go missing.
To fix these issues, we use g_spawn_async(). This avoids the need to
quote the filename and also avoids the snprintf issue.
In the case that the spawn fails, we also print a warning to the syslog
now.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
---
src/vdagent/file-xfers.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
Index: spice-vdagent-0.17.0/src/vdagent-file-xfers.c
===================================================================
--- spice-vdagent-0.17.0.orig/src/vdagent-file-xfers.c
+++ spice-vdagent-0.17.0/src/vdagent-file-xfers.c
@@ -293,9 +293,16 @@ void vdagent_file_xfers_data(struct vdag
if (xfers->open_save_dir &&
task->file_xfer_nr == task->file_xfer_total &&
g_hash_table_size(xfers->xfers) == 1) {
- char buf[PATH_MAX];
- snprintf(buf, PATH_MAX, "xdg-open '%s'&", xfers->save_dir);
- status = system(buf);
+ GError *error = NULL;
+ gchar *argv[] = { "xdg-open", xfers->save_dir, NULL };
+ if (!g_spawn_async(NULL, argv, NULL,
+ G_SPAWN_SEARCH_PATH,
+ NULL, NULL, NULL, &error)) {
+ syslog(LOG_WARNING,
+ "file-xfer: failed to open save directory: %s",
+ error->message);
+ g_error_free(error);
+ }
}
status = VD_AGENT_FILE_XFER_STATUS_SUCCESS;
} else {
View Git Blame Copy Permalink