A shell escape vulnerability was found in lshell [1]. This vulnerability is confirmed in lshell's current version 0.9.16_2 in the FreeBSD ports tree and can be exploited like so : lshell$ echo () sh && echo # ^--- hey look, I'm in /bin/sh now This PR aims to have shells/lshell 0.9.16_2 tagged as vulnerable. I shall submit a new PR to bring lshell up to the upstream's version 0.9.18 which corrects the issue. [1] https://github.com/ghantoos/lshell/issues/151
Thanks for the info. I've checked the issue you linked, was going to prepare the vuxml entry, but I don't see that being fixed in 0.9.18. The issue was filed 2016-08-22, still open, but 0.9.18 is tagged on 2016-02-25. Please correct me if I'm wrong. As you submitted the update request with taking maintainership in bug #215989, I'd like to ask you to please collate the security issues up to including 0.9.18 and help us document the vulnerabilities better. Perhaps you could ask the upstream to tag 0.9.19 (I'm assuming is the next) so this could be cleanly included with upstream fixes. Rebasing this issue to security/vuxml.
Created attachment 178787 [details] Document vulnerabilities in lshell I've gone ahead and collected a list of issues that seem to have been found and fixed, some with latest tagged 0.9.18, some still in master only. I've put discovery date to earliest of those issues. This essentially marks all published versions as vulnerable, until 0.9.19 is tagged. Please review.
Thanks Vladimir, will review and get back to you ASAP. With regards to issue 151, I am afraid I am yet to receive confirmation from upstream as to whether the shell escape is still exploitable. I was unable to reproduce the issue using the instructions in the original thread with 0.9.18 release from February : - regular escape : echo () sh && echo - control characters: echo<ctrl+v><ctrl+i>()sh && echo Will check on the others.
Subject: autocomplete forbidden paths Reference: https://github.com/ghantoos/lshell/issues/109 Date: July 2015 , corrected in 0.9.17 release Outcome: Closed in: https://github.com/ghantoos/lshell/commit/0b2e5e3ad7c769c509f08e20ef51363d26c0824a Subject: shell escape from commands that can execute arbitrary non-allowed ones Reference: https://github.com/ghantoos/lshell/issues/122 Date: March 2016 <-- post 0.9.18 release Outcome: Closed in: https://github.com/ghantoos/lshell/commit/571aac4c04508c49c3208e5fdcba1791b0d77133 https://github.com/ghantoos/lshell/commit/fc8dba89917338b09e253f7bc67348f4000d8614 https://github.com/ghantoos/lshell/commit/090ede3e39cf4bae67d823c334a3b3f3ba0a8134 https://github.com/ghantoos/lshell/commit/a03d601c757ec30c44745c19a4b870f30e7dfb4e https://github.com/ghantoos/lshell/commit/26c725e7084713e17ce58ee427f84668d41e39c9 Subject: shell escape with command chaining Reference: https://github.com/ghantoos/lshell/issues/147 Date: August 2016 <-- post 0.9.18 release Outcome: Closed in: https://github.com/ghantoos/lshell/commit/da6fbdee72e48ea066b72a3b6ae2da817359b88b https://github.com/omega8cc/lshell/commit/ed704ae1945b57d0749797ff55aa3027eb2fb9e2 https://github.com/ghantoos/lshell/commit/a686f71732a3d0f16df52ef46ab8a49ee0083c68 https://github.com/ghantoos/lshell/commit/c58c777ee493a266a8f8dbfae61f3230a1592d04 Subject: shell escape with special keys Reference: https://github.com/ghantoos/lshell/issues/149 Date: August 2016 <-- post 0.9.18 release Outcome: Closed in: https://github.com/ghantoos/lshell/commit/e72dfcd1f258193f9aaea3591ecbdaed207661a0 https://github.com/ghantoos/lshell/commit/a686f71732a3d0f16df52ef46ab8a49ee0083c68 https://github.com/ghantoos/lshell/commit/c58c777ee493a266a8f8dbfae61f3230a1592d04 Subject: shell escape with inappropriate syntax parsing Reference: https://github.com/ghantoos/lshell/issues/151 Date: September 2016 Outcome: still open There is 1 closed issue which predates 0.9.18. There are 3 closed issues which postdate 0.9.18, which would require a 0.9.19 tag. There is 1 open issue which I cannot seem to reproduce with 0.9.18 (but then, I might be doing it wrong) and for which it is unclear whether it has been fixed or not. I will ask upstream if they'd please tag 0.9.19, and provide an answer with regards to issue 151.
Created attachment 178796 [details] Document vulnerabilities in lshell (two version ranges) I've adjusted the patch to account for different version ranges affected.
Vladimir, would PORTREVISION help in differentiating between the vulnerable 0.9.18 released in February 2016, and the 0.9.18 from the latest commit hash ? I've set PORTREVISION to 20160916 in the Makefile [1] so package users have an idea of what 0.9.18 version they're getting. [1] https://bugs.freebsd.org/bugzilla/attachment.cgi?id=178857
(In reply to Damien Fleuriot from comment #6) In theory, PORTREVISION should differentiate yes, as the pkg audit is using pkg's internal version comparing functions where 0.9.18_3 > 0.9.18_2, so the same versioning rules should apply in vuxml package version range, but I've never personally seen it used like that. I've commented on bug #215989 with some hints and thoughts about the version update patch to port.
Status?
A commit references this bug: Author: swills Date: Fri Jul 27 13:15:56 UTC 2018 New revision: 475439 URL: https://svnweb.freebsd.org/changeset/ports/475439 Log: security/vuxml: document lshell issues PR: 215988 Submitted by: Damien Fleuriot <dam@my.gd> Changes: head/security/vuxml/vuln.xml
Committed, thanks!