Date: Fri, 13 Jul 2007 06:29:51 GMT From: Garrett Cooper <gcooper@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/114548: Possibly security risk in pkg_add(1) -- doesn't add packages properly from stdin Message-ID: <200707130629.l6D6Tprf097070@www.freebsd.org> Resent-Message-ID: <200707130630.l6D6U4O9014759@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 114548
>Category: bin
>Synopsis: Possibly security risk in pkg_add(1) -- doesn't add packages properly from stdin
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 13 06:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Garrett Cooper
>Release: 7.0-CURRENT i386
>Organization:
FreeBSD SoC'ers
>Environment:
FreeBSD tanaka 7.0-CURRENT FreeBSD 7.0-CURRENT #2: Wed Jun 08:39:04 PDT 2007 root@tanaka:/usr/obj/usr/src/sys/TANAKA i386
>Description:
I've been hacking the pkg_install code for my SoC project, and have inserted a number of debug statements in my code to determine why the number of calls in the code I produced quadrupled over the amount in the plist_cmd section. I inserted a debug statement to determine what commands are being parsed and noticed that many of my other debug statements are being interpreted as commands!
Looking through the code a bit I believe I've found the issue... it's dealing with an assumption that the packing list comes from stdin, when not provided in add/perform.c's pkg_do(..) function. I haven't
determined with absolution if this is the root cause of the issue, but I'm over 80% certain that it is.
This concerns me because if it is in fact the problem then a malicious developer could re-craft the package tools to do something that the original developers didn't intend.
I am looking into solving the problem by using libarchive with a revised input format instead of stdin.
>How-To-Repeat:
1. Compile a copy of my latest perforce check-in to pkg_install.
2. Uncomment the following line in lib/plist.c (should be around 312):
printf("COMMAND STRING: %s\nCMD: %s\nCP: %s\nSP: %s\n", s, cmd, cp, sp);
3. Run '/usr/bin/time -o out.log pkg_add -vf {package} |& tee out.log' in tcsh (in order to capture all output).
4. Examine out.log for entries like:
COMMAND STRING: add_plist) Difference: 0.00000223500000000000 secs
CMD: add_plist)
CP:
SP: Difference: 0.00000223500000000000 secs
There will be a large number of duplicate entries like this that are full of debug data. The debug statements are being interpreted as possible commands, but thankfully their status gets returned as PLIST_FAIL because they don't match any of the available commands. However, if the messages were crafted differently it would be a potential problem.
>Fix:
Theories and suggestions discussed.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707130629.l6D6Tprf097070>