Bug 897334 - (CVE-2014-2886) VUL-0: CVE-2014-2886: gksu: command injection using quotes
VUL-0: CVE-2014-2886: gksu: command injection using quotes
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-09-18 15:18 UTC by Marcus Meissner
Modified: 2014-09-24 13:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-18 15:18:10 UTC
via oss-sec


By passing this to gksu, gksu will pass the payload to ‘gksu-run-helper’ as an argument in “double” quotes. When gksu executes the gksu-run-helper command as root, the payload is evaluated within the double quotes (even though virtualbox single quoted them!).

Within the gksu_su_fuller function in libgksu.c ~line 1928, you will find gksu builds the string that it will be eventually running. ~line 1996 and 1997 looks like this:

1996      cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand,
1997        context->command); i++;


so if you pass a command with " it will have unquoted code exposed.
Comment 1 Marcus Meissner 2014-09-18 15:19:44 UTC
We are not shipping gksu on openSUSE or SLE at this time. 
we could audit other su helpers for this usage.
Comment 2 Swamp Workflow Management 2014-09-18 22:00:18 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-09-24 13:23:28 UTC
not for us