Bugzilla – Bug 897334
VUL-0: CVE-2014-2886: gksu: command injection using quotes
Last modified: 2014-09-24 13:23:28 UTC
via oss-sec https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbox-filename-command-execution-via-gksu http://www.securityfocus.com/bid/68427 http://savannah.nongnu.org/bugs/?40023 ... By passing this to gksu, gksu will pass the payload to ‘gksu-run-helper’ as an argument in “double” quotes. When gksu executes the gksu-run-helper command as root, the payload is evaluated within the double quotes (even though virtualbox single quoted them!). Within the gksu_su_fuller function in libgksu.c ~line 1928, you will find gksu builds the string that it will be eventually running. ~line 1996 and 1997 looks like this: 1996 cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand, 1997 context->command); i++; ... so if you pass a command with " it will have unquoted code exposed.
We are not shipping gksu on openSUSE or SLE at this time. we could audit other su helpers for this usage.
bugbot adjusting priority
not for us