From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 17 23:39:28 2023 Received: (at submit) by debbugs.gnu.org; 18 Jan 2023 04:39:28 +0000 Received: from localhost ([127.0.0.1]:38765 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pI0ES-0003og-Fq for submit@debbugs.gnu.org; Tue, 17 Jan 2023 23:39:28 -0500 Received: from lists.gnu.org ([209.51.188.17]:37506) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pI0ER-0003oY-0W for submit@debbugs.gnu.org; Tue, 17 Jan 2023 23:39:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pI0EQ-0005WI-Ix for bug-gzip@gnu.org; Tue, 17 Jan 2023 23:39:26 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pI0EO-0006QA-HI for bug-gzip@gnu.org; Tue, 17 Jan 2023 23:39:26 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 4A32E5C0102 for ; Tue, 17 Jan 2023 23:39:22 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Tue, 17 Jan 2023 23:39:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=who-t.net; h=cc :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=fm2; t= 1674016762; x=1674103162; bh=LKBYMdO8qx7pW7cluSCuA7U4HnMG5fwdiju IlV25Jvw=; b=SHBO4tTYaferb3WzPxKGtTe19Gbu6lhhR98we2QflcLnCGgv/Wh agG7fboV2hsnrJsE6zjZGGIVqlYEBVCJ6fTc6pApQfvjEvhhVSajSMtrPQfr2fJ/ LMZwmfsEx9gHFiLh5Ps41dSROXwRTG13oUTBktkM/CmAm2WTjXVCIT7sB0m+BSHG dVKT2tmagFbA5pB8+NJHaguzRJru6n3Z9s9pbYclDY2csCNijZY5u5/+hDcNYAoo X0TbgvnwvBSH9utwc4J7rMCOgHB2Owkn0IKKvtORKUKbZbPg258kRi/Eiu6gHAOR DmNKKmEhT+0yyAf/tv1F6sCmDdOydtyPwRw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:message-id:mime-version :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1674016762; x= 1674103162; bh=LKBYMdO8qx7pW7cluSCuA7U4HnMG5fwdijuIlV25Jvw=; b=l Z9FicwNBETPuj3eNdGMbcwsMUloZN5FhZMQsC5RtZX36O2XGD8Y5JRHS0trgE4+4 O6zYbwxd/lmvaauSk25vm3o8S3J7Sxh+RJEmnRfCFF/Hc5DSrlk0c7use+Ufu+QX gMluJKa7RJYTjjngrMhr4ei6unjsuNt4u7rqHtIa8wta5mcVmk/FeeE5wz+4fow1 ii90mSCJxCa/XCigwGsi1zOrSvsBm9l/LaDwiUS70/tAGjPr4811f6XmK3KEDmyk yPB1HOP64+2qwOPUlTwFMuBFI3OSCi0S6OI+sJSIzuuumB3kYWxG/I1ps/4cEO7L m4oljzeG2UYkbMGtplMNw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedruddtjedgjeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomheprfgvthgvrhcujfhuthhtvghrvghruceophgvthgvrhdrhhhuthht vghrvghrseifhhhoqdhtrdhnvghtqeenucggtffrrghtthgvrhhnpeejkefhiefgvdehve ehgfevuedtvefhtdevvddvheetueegjeektedvjeeugedvveenucffohhmrghinhepfhhr vggvuggvshhkthhophdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehpvghtvghrrdhhuhhtthgvrhgvrhesfihhohdqthdrnhgvth X-ME-Proxy: Feedback-ID: i7ce144cd:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 17 Jan 2023 23:39:20 -0500 (EST) Date: Wed, 18 Jan 2023 14:39:14 +1000 From: Peter Hutterer To: bug-gzip@gnu.org Subject: gunzip susceptible to PATH highjacking Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=66.111.4.26; envelope-from=peter.hutterer@who-t.net; helo=out2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hi all, Simple summary: gunzip executes any "gzip" executable if the caller adjusts PATH. $ echo "boom" > gzip $ chmod +x gzip $ PATH="$PWD:$PATH" /usr/bin/gunzip boom We discovered this as part of a fix to libXpm, an library to parse X pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and any libXpm application can thus be made to exec a random binary by highjacking PATH. Our initial fix was to change this to call /usr/bin/gunzip explicitly (i.e. with the built-in prefix). [1] But since gunzip execs gzip from $PATH, nothing really changes - we now fixed this in libXpm by calling /usr/bin/gzip -d instead [2] Not sure if this is a bug, intentional, or just a "meh, too niche to worry about". Or possibly a combination of all three, I'm happy with either. Cheers, Peter [1] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376 [2] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68 From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 18 02:50:46 2023 Received: (at 60924) by debbugs.gnu.org; 18 Jan 2023 07:50:46 +0000 Received: from localhost ([127.0.0.1]:38993 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pI3Da-0000ZT-8H for submit@debbugs.gnu.org; Wed, 18 Jan 2023 02:50:46 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38468) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pI3DX-0000ZD-OK for 60924@debbugs.gnu.org; Wed, 18 Jan 2023 02:50:44 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9F9C3160060; Tue, 17 Jan 2023 23:50:36 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id jM4YdA5771JU; Tue, 17 Jan 2023 23:50:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id F1270160069; Tue, 17 Jan 2023 23:50:35 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.9.2 zimbra.cs.ucla.edu F1270160069 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=78364E5A-2AF3-11ED-87FA-8298ECA2D365; t=1674028236; bh=7U0KWOnhlemET0ZbB8updpl8jAqdUW7MWk3gcEe2v54=; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type: Content-Transfer-Encoding; b=YiPKVpFVdbJgeTIwVm4UeGxwyoDlW3On9ZUwIS8yNqZPkBxr7B2X3s1yqwF85QQaG 8XpMtxzvTXY/3iT3Tvs/fvbjtRYpOlfmE6cjUZ0cY6axofnqHhBiOuEis68jz/urYY FIPg2ECe5ZfwjXCFI33PsG+dwKqtroQRaA0j4WlA= X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id x2kQPzdci-BR; Tue, 17 Jan 2023 23:50:35 -0800 (PST) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id C70E9160060; Tue, 17 Jan 2023 23:50:35 -0800 (PST) Message-ID: Date: Tue, 17 Jan 2023 23:50:33 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: bug#60924: gunzip susceptible to PATH highjacking To: Peter Hutterer , 60924@debbugs.gnu.org References: Content-Language: en-US From: Paul Eggert Organization: UCLA Computer Science Department In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -3.4 (---) X-Debbugs-Envelope-To: 60924 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) On 2023-01-17 20:39, Peter Hutterer wrote: > Not sure if this is a bug, intentional, or just a "meh, too niche to > worry about". I'd say it's intentional. These days you're probably better off linking to zlib instead. From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 18 16:23:21 2023 Received: (at 60924) by debbugs.gnu.org; 18 Jan 2023 21:23:21 +0000 Received: from localhost ([127.0.0.1]:41920 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIFtx-0004va-Bz for submit@debbugs.gnu.org; Wed, 18 Jan 2023 16:23:21 -0500 Received: from mail-lj1-f173.google.com ([209.85.208.173]:40879) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIFtw-0004vN-3J for 60924@debbugs.gnu.org; Wed, 18 Jan 2023 16:23:20 -0500 Received: by mail-lj1-f173.google.com with SMTP id y19so89963ljq.7 for <60924@debbugs.gnu.org>; Wed, 18 Jan 2023 13:23:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GOiVzKpFMJu9H7Ci2zJUZWyRLPGQefvxUpy09DJprSw=; b=rdv6GMPPuH73dB4+88lqmDEHgCvx1NWd6e2S1VJ8L1HpwdWrXg0oiQ4OS8P/9ysWBv tIzXYFdv05LzuUj78hO4Y6/3Vs31DM1mqmMbcgRkPumh4e3hh37+E064uEdslrSA2REn 7CmnND+NN1R6I3ia5OeUzYhL47CrPB8eIHv9ADgrf10ZcPJSqGKKjn+RKlmPIS2LXEZ3 6O5k0RKNy+O8r0l+/Vh0rvLS417OngHjEYVPjnRscd6wEIpIjdlsORKTobavfYiOhUiM jjSTYEvbEGClXX1D5+XmgOfFGOL6kAXuTe+ipjTlpejaufNEtxbWzX5Cyg1TKmw/Zi+5 4lvw== X-Gm-Message-State: AFqh2krs5h+RDA1uXO89NykA48AbO62hIyLnsZoTNfegxxbEYOvmf1BE V62j3TU1gyblIGb9lzXDIlbExmnuTeEOJ77BVUY= X-Google-Smtp-Source: AMrXdXvFb7hLTvTfbHx719miTPM6WrsBVHJ2OY1Xw4fPO6fnzfR1geLL2ovd9BT5SaMT6wcv7yRVnoH1DziYFh5Gf88= X-Received: by 2002:a2e:bc0b:0:b0:28b:aa4f:b69c with SMTP id b11-20020a2ebc0b000000b0028baa4fb69cmr427696ljf.50.1674076993901; Wed, 18 Jan 2023 13:23:13 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Jim Meyering Date: Wed, 18 Jan 2023 13:23:01 -0800 Message-ID: Subject: Re: bug#60924: gunzip susceptible to PATH highjacking To: Paul Eggert Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 60924 Cc: Peter Hutterer , 60924@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) tags 60924 notabug close 60924 thanks Thanks for the report. From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 18 16:36:55 2023 Received: (at control) by debbugs.gnu.org; 18 Jan 2023 21:36:56 +0000 Received: from localhost ([127.0.0.1]:41933 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIG75-0005H7-LN for submit@debbugs.gnu.org; Wed, 18 Jan 2023 16:36:55 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:52728) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pIG73-0005Gt-NC for control@debbugs.gnu.org; Wed, 18 Jan 2023 16:36:54 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id E7C5E16004F for ; Wed, 18 Jan 2023 13:36:46 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id OjKAzf4UkNny for ; Wed, 18 Jan 2023 13:36:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4913916006A for ; Wed, 18 Jan 2023 13:36:46 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.9.2 zimbra.cs.ucla.edu 4913916006A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=78364E5A-2AF3-11ED-87FA-8298ECA2D365; t=1674077806; bh=3RtKTLpw6dO42A5F6kWSj6ht1032ynu6CvtRJiSPcH0=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding; b=YPJfQmVgIHR7adB/GI7QxC6EauymAwLlq57fDTHZQApkHrmjTf6F6gPVOcIh1wVRL 0mWrkh+J7ZXu+tv05pOmzjQ/uSzZ+ZvRvQytWHHjGcGkYQ8mVi1p9YxVZwgI7JW8kV cCBEt9A2gw/tFOFgSP4q21W6sAO+NNjGIxkA771M= X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id maR6avwliJIE for ; Wed, 18 Jan 2023 13:36:46 -0800 (PST) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2F12016004F for ; Wed, 18 Jan 2023 13:36:46 -0800 (PST) Message-ID: Date: Wed, 18 Jan 2023 13:36:41 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Content-Language: en-US To: GNU bug control From: Paul Eggert Subject: close 60924 Organization: UCLA Computer Science Department Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) close 60924 From unknown Sun Aug 10 09:10:08 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 16 Feb 2023 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator