[Cvs-syncmail] security patch for syncmail

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

[Cc: ro...@sf..., ro...@cv..., because I can't find an e-mail address 
@sf.net to which I should report this.]

Folks:

I experimented a bit and confirmed that with current HEAD version of syncmail it 
is indeed possible to invoke arbitrary shell commands like this:

$ mkdir test\"\;eval
$ touch test\"\;eval\ /whoami\;\"echo\
$ cvs add test\"\;eval\ /whoami\;\"echo\
$ cvs commit -m " Don't look -- it's too awful."

I was able to run "whoami" on cvs.pyutil.sourceforge.net as user `zooko', 
despite the fact that the `zooko' account on that machine is a restricted shell 
which is disallowed from all actions other than invoking cvs.

Here is a patch appended, named "Patch 3", which fixes this hole.  You should 
also consider the prophylactic clean-up patch, "Patch 1":

[1] http://sourceforge.net/mailarchive/forum.php?thread_id=561598&forum_id=8207

If you apply Patch 2:

[2] http://sourceforge.net/mailarchive/forum.php?thread_id=561512&forum_id=8207

then it supercedes the appended Patch 3 (but you should still apply Patch 1).

Please let me know if I should use patch manager for this.  Feel free to give me 
cvs write access (account name: zooko) if you want me to commit these myself.

Regards,

Zooko

---
                 zooko.com
Security and Distributed Systems Engineering
---

[3] Patch 3:

Index: syncmail
===================================================================
RCS file: /cvsroot/pyutil/CVSROOT/syncmail,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4

--- syncmail	27 Mar 2002 11:28:01 -0000	1.3
+++ syncmail	27 Mar 2002 11:59:44 -0000	1.4
@@ -68,7 +68,7 @@
 import getopt
 
 # Notification command
-MAILCMD = '/bin/mail -s "CVS: %(SUBJECT)s" %(PEOPLE)s 2>&1 > /dev/null'
+MAILCMD = "/bin/mail -s 'CVS: %(SUBJECT)s' %(PEOPLE)s 2>&1 > /dev/null"
 
 # Diff trimming stuff
 DIFF_HEAD_LINES = 20
@@ -191,7 +191,7 @@
     # $CVSROOT, followed by the list of files that are changing.
     if not args:
         usage(1, 'No CVS module specified')
-    SUBJECT = args[0]
+    SUBJECT = string.replace(args[0], "'", '"')
     specs = string.split(args[0])
     del args[0]
 


