GNU bug report logs - #60924
gunzip susceptible to PATH highjacking

Previous Next

Package: gzip;

Reported by: Peter Hutterer <peter.hutterer <at> who-t.net>

Date: Wed, 18 Jan 2023 04:40:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Peter Hutterer <peter.hutterer <at> who-t.net>
To: bug-gzip <at> gnu.org
Subject: gunzip susceptible to PATH highjacking
Date: Wed, 18 Jan 2023 14:39:14 +1000

Hi all,

Simple summary: gunzip executes any "gzip" executable if the caller
adjusts PATH.

$ echo "boom" > gzip
$ chmod +x gzip
$ PATH="$PWD:$PATH" /usr/bin/gunzip 
boom

We discovered this as part of a fix to libXpm, an library to parse X
pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and
any libXpm application can thus be made to exec a random binary by
highjacking PATH.

Our initial fix was to change this to call /usr/bin/gunzip explicitly
(i.e. with the built-in prefix). [1] But since gunzip execs gzip from
$PATH, nothing really changes - we now fixed this in libXpm by calling
/usr/bin/gzip -d instead [2]

Not sure if this is a bug, intentional, or just a "meh, too niche to
worry about". Or possibly a combination of all three, I'm happy with
either.

Cheers,
  Peter

[1] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376
[2] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68
This bug report was last modified 2 years and 176 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.