Letters to the editor

xpdf vulnerability - CAN-2003-0434

I see RedHat and Mandrake reactions to the vulnerability
in xpdf reported by Martyn Gilmore. But their updates do
not fix the problem.

They change xpdf, and make it filter out backquotes before
invoking urlCommand. I think that was unnecessary.

On the other hand, urlCommand must be very careful what it
does with the URL since it was remote-user-supplied.
A urlCommand like the default "netscape -remote 'openURL(%s)'"
is OK since the %s is protected by single quotes.

A urlCommand like the RedHat "/usr/bin/xpdf-handle-url %s"
is bad since %s is not protected and funny games are possible.
In other words, not xpdf but /etc/xpdfrc must be fixed.

Next, RedHat /usr/bin/xpdf-handle-url is bad as well, since
it does
  xterm -e sh -c "echo Edit $0 to include your URL handler; echo $1; read"
exposing the unquoted URL to sh -c.

For example, on a RedHat 8.0 system that I have here, clicking the URL
like "nailto:me; rm /tmp/abc" will remove the indicated file, also
after the fix is applied.

A testexample for playing with pdflatex:

\documentclass[11pt]{minimal}
\usepackage{color}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none]{hyperref}
\begin{document}
\href{prot:hyperlink with stuff, say, `rm -rf /tmp/abc`; touch /tmp/pqr}{\textt\
t{Click me}}
\end{document}

All shell metacharacters are dangerous. Not only backquote.

Andries

Comments (2 posted)

SCO can not win "SCO vs Linux" case. Seriously.

I'm looking on "SCO vs IBM" case for some time and every time "SCO vs IBM" 
case is discussed like it's "SCO vs Linux" case. But it's not! Even more: 
even if SCO will win "SCO vs IBM" case SCO can not do ANYTHING to Linux 
(except may be make it illegal to distribute for some time).

How so ? Ok, SCO would like to get license fees from Linux vendors, right ?
SCO is not interested in removing offending code from Linux - they only 
want money, right ? Oops. Thay can not have it. No matter what Linus and 
IBM done. Even if they own rights for half of Linux's code.

Why so ? Linux's license is GPL. Reread this part of GPL once more, please:
-- cut --
7. If, as a consequence of a court judgment or allegation of patent 
infringement or for any other reason (not limited to patent issues), 
conditions are imposed on you (whether by court order, agreement or 
otherwise) that contradict the conditions of this License, they do not 
excuse you from the conditions of this License. If you cannot distribute 
so as to satisfy simultaneously your obligations under this License and 
any other pertinent obligations, then as a consequence you may not 
distribute the Program at all. For example, if a patent license would not 
permit royalty-free redistribution of the Program by all those who receive 
copies directly or indirectly through you, then the only way you could 
satisfy both it and this License would be to refrain entirely from 
distribution of the Program. 
-- cut --

What this means ? This means that even if SCO has some rights for Linux 
code (all or some parts of it) then there are ONLY TWO CHOICES:
  1. SCO grants everyone rights to redistribute Linux for free (like IBM 
     done with RCU patents)
  2. SCO forbids everyone to distribute linux without SCO's license and 
     thus makes linux UNDISTRIBUTABLE IS US FOR ALL INCLUDING SCO ITSELF!

There are NO other choices. Even if RedHat or IBM will buy license from 
SCO they can not redistribute Linux ! If they'll try then EVERYONE who 
EVER contributed to Linux can sue them. IBM, Intel, HP, SGI ...

Oh, of course all those companies can sue SCO for illegal redistribution 
once SCO claims are proven :-) Since SCO obviously redistributed Linux 
while agreements with other parties made it impossible for SCO to even 
show code (or so SCO claims).

Why this side of the issue never discussed ? Why every columnist is 
writing about how "Linux community doing nothing" when THE ONLY THING 
Linux community CAN DO is to remove offending code and it's not possible 
till SCO shows what code should be removed ?

Comments (11 posted)