Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Special shell characters are interpreted in path to the boot ISO image #4860

Closed
marmarek opened this issue Mar 7, 2019 · 8 comments
Closed

Special shell characters are interpreted in path to the boot ISO image #4860

marmarek opened this issue Mar 7, 2019 · 8 comments
Assignees
@marmarek
Labels
C: core P: critical Priority: critical. Between "major" and "blocker" in severity. r4.0-buster-stable r4.0-centos7-stable r4.0-dom0-stable r4.0-fc27-stable r4.0-fc28-stable r4.0-fc29-stable r4.0-jessie-stable r4.0-stretch-stable
Milestone
Release 4.0 updates

Comments

@marmarek
Copy link
Member

marmarek commented Mar 7, 2019

Qubes OS version:

R4.0

Affected component(s) or functionality:

core

Steps to reproduce the behavior:

  1. Select "Boot qube from CDROM", or execute qubes-vm-boot-from-device.
  2. Choose to use a file from another qube.
  3. Select a file containing special shell characters, like $, or `.
  4. Boot.

Expected or desired behavior:

Filename is used literally, no special characters are interpreted.

Actual behavior:

Special characters are interpreted by shell in the VM where the file is stored. This include possible command execution with `.

General notes:

The problem is in two places:

  1. The GUI for choosing the file fails to reject potentially harmful file names (there is a code for that, but it's buggy).
  2. qvm-start tool fails to properly escape/quote file name given in --cdrom argument, when sending it back to originating VM (losetup command call).

Reported by @v6ak

I am aware of the following related, non-duplicate issues:

#4850 would avoid the second problem
@marmarek marmarek added bug C: core P: critical Priority: critical. Between "major" and "blocker" in severity. labels Mar 7, 2019
@marmarek marmarek added this to the Release 4.0 updates milestone Mar 7, 2019
@marmarek marmarek self-assigned this Mar 7, 2019
marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Mar 7, 2019
@marmarek
tools/qvm-start: use vm.run_with_args to call losetup in the VM
a2629b1 
This will fix handling filenames with spaces and shell special
characters.

Reported by @v6ak

Fixes QubesOS/qubes-issues#4860
marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Mar 7, 2019
@marmarek
tools/qvm-start: validate output of losetup command
fb910a7 
QubesOS/qubes-issues#4860
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-manager-4.0.29-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

This was referenced Mar 7, 2019
Closed
Closed
@marmarek marmarek mentioned this issue Mar 7, 2019
Merged
@qubesos-bot qubesos-bot mentioned this issue Mar 7, 2019
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-admin-client has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Mar 7, 2019
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-qubesadmin-4.0.25-0.1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-admin-client_4.0.25-1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-admin-client has been pushed to the r4.0 stable repository for the CentOS centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-qubesadmin-4.0.25-0.1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-admin-client_4.0.25-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-manager-4.0.33-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marmarek marmarek

Labels
C: core P: critical Priority: critical. Between "major" and "blocker" in severity. r4.0-buster-stable r4.0-centos7-stable r4.0-dom0-stable r4.0-fc27-stable r4.0-fc28-stable r4.0-fc29-stable r4.0-jessie-stable r4.0-stretch-stable
Projects
None yet
Milestone
Release 4.0 updates
Development

No branches or pull requests
2 participants
@marmarek @qubesos-bot