Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958733
Bug ID: 958733 Summary: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli Product: Fedora Version: 18 Component: plexus-utils Severity: unspecified Priority: unspecified Assignee: fnasser@redhat.com Reporter: fweimer@redhat.com QA Contact: extras-qa@fedoraproject.org CC: fnasser@redhat.com, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com Blocks: 958220 Category: ---
The shell quoting logic in this package (and the org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears to be mostly dead code. Client code should be migrated to java.lang.ProcessBuilder.
The different quoting options (single quotes, double quotes) are difficult to get right, and the reference to StringUtils is not particularly helpful because the caller has to provide the correct set of characters to be escaped, which is platform-dependent.
Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958733
--- Comment #1 from Mikolaj Izdebski mizdebsk@redhat.com --- plexus-utils package is widely used (required by 96 packages in Fedora and it is the most often downloaded artifact on Maven Central [1]), so changing the API or migrating dependant packages to use standard JDK API would be difficult or impossible.
If I remember correctly the shell quoting code is indirectly used by maven-scm and maven-wagon. Migration to ProcessBuilder is impossible (or at least not always possible) because the shell code needs to be executed on remote hosts (eg. over SSH) which is beyond capabilities of ProcessBuilder.
In my opinion the shell quoting and escaping code should be fixed to conform to appropriate standards, like [2].
[1] http://search.maven.org/#stats [2] http://pubs.opengroup.org/onlinepubs/7908799/xcu/chap2.html
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1009412
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|fnasser@redhat.com |mizdebsk@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://jira.codehaus.org/b | |rowse/PLXUTILS-161
--- Comment #2 from Mikolaj Izdebski mizdebsk@redhat.com --- Related to upstream bug PLXUTILS-161
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Kristian Rosenvold krosenvold@apache.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |krosenvold@apache.org
--- Comment #3 from Kristian Rosenvold krosenvold@apache.org --- I am one of the current maintainers of the plexus code in question.
Plexus-utils is mostly used within maven, which (like all the build systems for java) is not a "safe" execution environment; if someone wants to inject an "rm -rf /*" into your build system there's probably thousands of different attack vectors to achieve this. This applies to all modern java build systems and is not a particular maven problem.
I am mostly trying to establish the actual severity of this issue; we will gladly accept patches that update the correctness of the quoting algorithms (or if you can explain it to thickheads like me, I'll even fix it myself!). The code we're talking about here is ancient (and none of my doing) and just understanding the problem/consequences is hard enough.
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Charles Duffy charles@dyfis.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |charles@dyfis.net
--- Comment #4 from Charles Duffy charles@dyfis.net --- A patch correcting the quoting algorithm (and avoiding its use where possible) has been attached to PLXUTILS-161.
https://bugzilla.redhat.com/show_bug.cgi?id=958733
--- Comment #5 from Fedora End Of Life endoflife@fedoraproject.org --- This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |MODIFIED Fixed In Version| |3.0.16-1
--- Comment #6 from Mikolaj Izdebski mizdebsk@redhat.com --- Fixed in plexus-utils-3.0.16-1
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |NEXTRELEASE Last Closed| |2014-01-27 09:04:45
--- Comment #7 from Mikolaj Izdebski mizdebsk@redhat.com --- I believe that this bug is fixed in plexus-utils-3.0.16-1, which is available in Fedora Rawhide, so I am closing this bug now.
The build containing the fix can be found at Koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=494089
This bug was fixed in the next release of Fedora, and is not planned to be fixed in the release it was filed against. If you want this bug to be fixed in updates for Fedora 18, please say so in a comment. Otherwise you can update to the newer release of Fedora to get the fix.
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Florian Weimer fweimer@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1532497 (CVE-2017-1000487)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1532497 [Bug 1532497] CVE-2017-1000487 plexus-utils: Mishandled strings in Commandline class allow for command injection
java-sig-commits@lists.stg.fedoraproject.org