Bug 735394

Summary: VUL-0: sysconfig: Improper quoting of variable (wireless AP related)
Product: [openSUSE] openSUSE 12.1 Reporter: Jon Nelson <jnelson-suse>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: mt, security-team
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle10-sp3:44624 maint:released:sle10-sp4:44625
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Deadline: 2011-12-26   

Description Jon Nelson 2011-12-07 16:16:45 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0

In this context, the variable "CONFIG" comes from the *name* of the AP one might be associated with in a wireless environment (which can contain just about any old cruft.)

In my case, I connected to a network with a space in the name, and *happened* to be watching /var/log/messages and /var/log/NetworkManager.

This is what I saw:

Dec  7 09:41:23 some_laptop dbus-daemon[20761]: scripts/ifup-services: line 98: test: ./ifcfg-wlan0-Uphill: binary operator expected

Line 98-100 reads:

test -f ./ifcfg-$CONFIG && . ./ifcfg-$CONFIG
if [ -d "ifservices-$CONFIG" ] ; then
        cd ifservices-$CONFIG

The first and third lines make use of $CONFIG _unquoted_.
I can see this being a potential security issue.

It's probably worth auditing the rest of the associated files for similar issues.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 2 Swamp Workflow Management 2011-12-07 23:00:28 UTC 
bugbot adjusting priority
Comment 5 Ludwig Nussel 2011-12-12 15:09:46 UTC 
CVE-2011-4182
Comment 7 Swamp Workflow Management 2011-12-12 15:40:28 UTC 
The SWAMPID for this issue is 44544.
This issue was rated as moderate.
Please submit fixed packages until 2011-12-26.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 12 Bernhard Wiedemann 2011-12-19 13:00:43 UTC 
This is an autogenerated message for OBS integration:
This bug (735394) was mentioned in
https://build.opensuse.org/request/show/97040 12.1 / sysconfig
https://build.opensuse.org/request/show/97041 11.4 / sysconfig
https://build.opensuse.org/request/show/97042 11.3 / sysconfig
https://build.opensuse.org/request/show/97043 Factory / sysconfig
Comment 14 Swamp Workflow Management 2012-01-11 11:09:04 UTC 
Update released for: sysconfig, sysconfig-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 15 Ludwig Nussel 2012-01-19 12:24:23 UTC 
released
Comment 16 Swamp Workflow Management 2012-02-08 14:09:31 UTC 
Update released for: sysconfig, sysconfig-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 17 Bernhard Wiedemann 2012-02-17 22:00:53 UTC 
This is an autogenerated message for OBS integration:
This bug (735394) was mentioned in
https://build.opensuse.org/request/show/105749 Evergreen:11.2 / sysconfig
Comment 18 Bernhard Wiedemann 2012-02-22 13:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (735394) was mentioned in
https://build.opensuse.org/request/show/106448 Evergreen:11.2 / sysconfig