File: bug1.html

package info (click to toggle)
pcb-rnd 3.1.7b-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 33,108 kB
  • sloc: ansic: 213,400; yacc: 6,241; sh: 4,698; awk: 3,016; makefile: 2,254; lex: 1,166; python: 519; xml: 261; lisp: 154; tcl: 67; perl: 34; javascript: 6; ruby: 5
file content (70 lines) | stat: -rw-r--r-- 2,312 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
	<title> pcb-rnd - security related bugs </title>
	<meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
</head>
<body>

<!--content-->
<h1> pcb-rnd security related bug #1: execbug </h1>
<p>
Users opening untrusted boards or projects may unintentionally execute
external programs.

<h2> 1. Bug description </h2>
<p>
pcb-rnd inherited 5 settings from gEDA/PCB that let pcb-rnd (and PCB)
execute external processes, wrapping certain file operations:
<ul>
	<li> conf_core.rc.save_command
	<li> conf_core.rc.rat_command
	<li> conf_core.rc.library_shell
	<li> conf_core.rc.file_command
	<li> conf_core.rc.font_command
</ul>
<p>
The old Settings system has been replaced in pcb-rnd; the new conf system
allows any configuration setting to be specified in a project file or a
board file. This includes the above 5 items as well.
<p>
Thus an attacker may produce a project or a single board file in .pcb or .lht format
that contains the above config settings, executing arbitrary shell command on the
user's computer when pcb-rnd opens or saves the file or loads fonts or
footprints or netlists.

<h2> 2. How to prevent the attack </h2>

<h3> 2.1. By using a version that is not affected </h3>
<p>
<ul>
	<li> from svn /trunk, any revision newer than r11597
	<li> any release starting from 1.2.6
	<li> old stable release 1.2.5, patched: <a href="../releases/pcb-rnd-1.2.5b.tar.gz">1.2.5b</a>
	<li> old stable release 1.1.4, patched: <a href="../releases/pcb-rnd-1.1.4b.tar.gz">1.1.4b</a>
</ul>

<h3> 2.2. By manually checking board and project files from untrusted source</h3>
<p>
Before opening the file, grep for _command and _shell in it, remove
the offending lines.


<h2> 3. What did the patch/fix do </h2>
<p>
The patch prevents these 5 settings to take effect when the source of
the setting is not from one of these:
<ul>
	<li> internal (embedded in the executable, used as the ultimate fallback when no config is available)
	<li> system installed config file (typically under /usr/)
	<li> user config file (typically in ~/.pcb-rnd/)
	<li> command line argument (-c)
</ul>
<p>
This bans sources like the board file, the project file and environmental
variable.

</body>
</html>