GNU bug report logs - #60924
gunzip susceptible to PATH highjacking

Previous Next

Package: gzip;

Reported by: Peter Hutterer <peter.hutterer <at> who-t.net>

Date: Wed, 18 Jan 2023 04:40:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 60924 in the body.
You can then email your comments to 60924 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gzip <at> gnu.org:
bug#60924; Package gzip. (Wed, 18 Jan 2023 04:40:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Peter Hutterer <peter.hutterer <at> who-t.net>:
New bug report received and forwarded. Copy sent to bug-gzip <at> gnu.org. (Wed, 18 Jan 2023 04:40:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Peter Hutterer <peter.hutterer <at> who-t.net>
To: bug-gzip <at> gnu.org
Subject: gunzip susceptible to PATH highjacking
Date: Wed, 18 Jan 2023 14:39:14 +1000

Hi all,

Simple summary: gunzip executes any "gzip" executable if the caller
adjusts PATH.

$ echo "boom" > gzip
$ chmod +x gzip
$ PATH="$PWD:$PATH" /usr/bin/gunzip 
boom

We discovered this as part of a fix to libXpm, an library to parse X
pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and
any libXpm application can thus be made to exec a random binary by
highjacking PATH.

Our initial fix was to change this to call /usr/bin/gunzip explicitly
(i.e. with the built-in prefix). [1] But since gunzip execs gzip from
$PATH, nothing really changes - we now fixed this in libXpm by calling
/usr/bin/gzip -d instead [2]

Not sure if this is a bug, intentional, or just a "meh, too niche to
worry about". Or possibly a combination of all three, I'm happy with
either.

Cheers,
  Peter

[1] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376
[2] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68
Information forwarded to bug-gzip <at> gnu.org:
bug#60924; Package gzip. (Wed, 18 Jan 2023 07:51:01 GMT) Full text and rfc822 format available.

Message #8 received at 60924 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Peter Hutterer <peter.hutterer <at> who-t.net>, 60924 <at> debbugs.gnu.org
Subject: Re: bug#60924: gunzip susceptible to PATH highjacking
Date: Tue, 17 Jan 2023 23:50:33 -0800

On 2023-01-17 20:39, Peter Hutterer wrote:
> Not sure if this is a bug, intentional, or just a "meh, too niche to
> worry about".

I'd say it's intentional.

These days you're probably better off linking to zlib instead.
Information forwarded to bug-gzip <at> gnu.org:
bug#60924; Package gzip. (Wed, 18 Jan 2023 21:24:02 GMT) Full text and rfc822 format available.

Message #11 received at 60924 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Peter Hutterer <peter.hutterer <at> who-t.net>, 60924 <at> debbugs.gnu.org
Subject: Re: bug#60924: gunzip susceptible to PATH highjacking
Date: Wed, 18 Jan 2023 13:23:01 -0800

tags 60924 notabug
close 60924
thanks

Thanks for the report.
bug closed, send any further explanations to 60924 <at> debbugs.gnu.org and Peter Hutterer <peter.hutterer <at> who-t.net> Request was from Paul Eggert <eggert <at> cs.ucla.edu> to control <at> debbugs.gnu.org. (Wed, 18 Jan 2023 21:37:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 16 Feb 2023 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 63 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.