[Bug 1649352] [NEW] http direct to terminals?
Seth Arnold
1649352 at bugs.launchpad.net
Mon Dec 12 17:27:23 UTC 2016
*** This bug is a security vulnerability ***
Public security bug reported:
Hi Dustin,
Some recent changes introduced what looks to be a serious problem:
http://launchpadlibrarian.net/296647523/base-
files_9.6ubuntu7_9.6ubuntu8.diff.gz
-SERVER="https://motd.ubuntu.com"
+# White space separated list of 0 to many news services
+SERVER="http://motd.ubuntu.com"
[...]
+ if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then
+ echo
+ # At most, 2 lines of at most 80 characters
+ cat "$NEWS" | tail -n 2 | cut -c -80
This allows any network man-in-the-middle attacker, DNS response forger,
or BGP forger, to write 160 raw bytes directly to terminals.
The previous version wasn't good (open for abuse by anyone who could
trick one of the myriad x.509 Certificate Authorities to mis-issue a
certificate) but this version is open for abuse by significantly more
attackers.
While most terminals are reasonably safe against outright maliciousness
this has been a recurring exploitation theme for twenty years, and even
what is "safe" for them to display could be wildly confusing to users
unfamiliar with maliciously controlled terminals. (And users have wide
tastes in terminals, some are fairly brittle.)
cat(1) does not do any filtering for 'safe' display of arbitrary inputs.
less(1) does, assuming -r is not in LESS environment variable or the
less(1) command line. If you wish to keep the pipeline, perhaps tr(1)'s
-d flag could be useful.
On a related note, is there a reason why the motd.ubuntu.com server
can't do HTTPS?
Thanks
** Affects: base-files (Ubuntu)
Importance: Critical
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1649352
Title:
http direct to terminals?
Status in base-files package in Ubuntu:
Confirmed
Bug description:
Hi Dustin,
Some recent changes introduced what looks to be a serious problem:
http://launchpadlibrarian.net/296647523/base-
files_9.6ubuntu7_9.6ubuntu8.diff.gz
-SERVER="https://motd.ubuntu.com"
+# White space separated list of 0 to many news services
+SERVER="http://motd.ubuntu.com"
[...]
+ if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then
+ echo
+ # At most, 2 lines of at most 80 characters
+ cat "$NEWS" | tail -n 2 | cut -c -80
This allows any network man-in-the-middle attacker, DNS response
forger, or BGP forger, to write 160 raw bytes directly to terminals.
The previous version wasn't good (open for abuse by anyone who could
trick one of the myriad x.509 Certificate Authorities to mis-issue a
certificate) but this version is open for abuse by significantly more
attackers.
While most terminals are reasonably safe against outright
maliciousness this has been a recurring exploitation theme for twenty
years, and even what is "safe" for them to display could be wildly
confusing to users unfamiliar with maliciously controlled terminals.
(And users have wide tastes in terminals, some are fairly brittle.)
cat(1) does not do any filtering for 'safe' display of arbitrary
inputs. less(1) does, assuming -r is not in LESS environment variable
or the less(1) command line. If you wish to keep the pipeline, perhaps
tr(1)'s -d flag could be useful.
On a related note, is there a reason why the motd.ubuntu.com server
can't do HTTPS?
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1649352/+subscriptions
More information about the foundations-bugs
mailing list