Bug 897334 - (CVE-2014-2886) VUL-0: CVE-2014-2886: gksu: command injection using quotes
(CVE-2014-2886)
VUL-0: CVE-2014-2886: gksu: command injection using quotes
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-18 15:18 UTC by Marcus Meissner
Modified: 2014-09-24 13:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-18 15:18:10 UTC
via oss-sec

https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbox-filename-command-execution-via-gksu
http://www.securityfocus.com/bid/68427
http://savannah.nongnu.org/bugs/?40023

...
By passing this to gksu, gksu will pass the payload to ‘gksu-run-helper’ as an argument in “double” quotes. When gksu executes the gksu-run-helper command as root, the payload is evaluated within the double quotes (even though virtualbox single quoted them!).

Within the gksu_su_fuller function in libgksu.c ~line 1928, you will find gksu builds the string that it will be eventually running. ~line 1996 and 1997 looks like this:

1996      cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand,
1997        context->command); i++;

...

so if you pass a command with " it will have unquoted code exposed.
Comment 1 Marcus Meissner 2014-09-18 15:19:44 UTC
We are not shipping gksu on openSUSE or SLE at this time. 
we could audit other su helpers for this usage.
Comment 2 Swamp Workflow Management 2014-09-18 22:00:18 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-09-24 13:23:28 UTC
not for us