xdg-utils incorrectly parses output, causing wrong output

Bug #335643 reported by Matthew Flaschen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Xdg-utils
Confirmed
Medium
xdg-utils (Ubuntu)
Triaged
Low
Unassigned
Declined for Hardy by Sebastien Bacher

Bug Description

Binary package hint: xdg-utils

xdg-mime fails to safely parse output from kfile, gnomevfs-info, and file -i. This allows a carefully crafted filename to be used to output arbitrary text. An example script is provided as an attachment. It creates a single file, then runs xdg-open three times, simulating three desktop environments (KDE, GNOME, other).

The script helpfully notes that there has been a problem and suggests a possible solution... Note that xdg-mime is used directly by real applications, so this vulnerability may have unforeseen results.

I plan to provide candidate patches shortly.

Revision history for this message
Matthew Flaschen (matthew-flaschen) wrote :
Revision history for this message
Matthew Flaschen (matthew-flaschen) wrote :

Patches is attached. This fixes the bug for all three methods and moves the exploit to the test directory.

Revision history for this message
dforsi (daniele-forsi) wrote :

Looking at the attachments in this bug report, I noticed that an attachment was not flagged as a patch. A patch contains changes to an Ubuntu package that will resolve a bug and this attachment is one! Subsequently, I've checked the patch flag for it. In the future when submitting patches please use the patch checkbox as there are some Launchpad searches that use this feature. You can learn more about the patch workflow at https://wiki.ubuntu.com/Bugs/Patches.

Revision history for this message
In , Jamie Strandboge (jdstrand) wrote :

This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:

$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype /tmp/foo\:runme
runme

This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.

xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: xdg-utils incorrectly parses output, allowing arbitrary text injection

Unmarking as security as it appears that at worst xdg-mime will simply echo back (part of) the filename and though while confusing and certainly a bug, it does not cross privilege boundaries or cause data loss. Presumably the user will recognize the echoed back text as the filename of the file that was queried. Filed as upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=21018.

security vulnerability: yes → no
Changed in xdg-utils (Ubuntu):
status: New → Confirmed
summary: - xdg-utils incorrectly parses output, allowing arbitrary text injection
+ xdg-utils incorrectly parses output, causing wrong output
Changed in xdg-utils:
status: Unknown → Confirmed
Changed in xdg-utils (Ubuntu):
importance: Undecided → Low
Revision history for this message
Matthew Flaschen (matthew-flaschen) wrote :

"Presumably the user will recognize the echoed back text as the filename of the file that was queried."

You're assuming that a user is always using xdg-utils directly. In fact, they are used by programs, in which case a typical user is not necessarily going to know the original filename was specially constructed.

Revision history for this message
In , Andrew Starr-Bochicchio (andrewsomething) wrote :

Created an attachment (id=36854)
Patch from Ubuntu bug

tags: added: patch-forwarded-upstream
Changed in xdg-utils:
importance: Unknown → Medium
Changed in xdg-utils:
importance: Medium → Unknown
Changed in xdg-utils:
importance: Unknown → Medium
Changed in xdg-utils (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
In , Dunric29a (dunric29a) wrote :

I can confirm the issue is still not fixed in xdg-utils 1.1.0, git snapshot from 2012-10-08.
Attached patch does work for me.
Please update in upstream.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.