Foomatic-RIP (CVE-2015-8560)

Just a quick writeup today, recently I uncovered an issue in the Foomatic-RIP package. The bug can be found within the “filter/foomatic-rip/util.c” source and is due to the whitelist used within the following line:

const char* shellescapes = "|&!$\'\"`#*?()[]{}";

This blacklist is used to sanitise characters that are later passed to the libc system() call.

It seems that this blacklist is missing the ; character, which means that if we can influence an argument passed to footmatic-rip which is later passed to a shell command, we can potentially execute arbitary arguments.

For example, on line 647 of “/filter/foomatic-rip/foomaticrip.c”, we find the following:

snprintf(pdf2ps_cmd, CMDLINE_MAX,
"gs -q -sstdout=%%stderr -sDEVICE=ps2write -sOutputFile=- "
"-dBATCH -dNOPAUSE -dPARANOIDSAFER -dNOINTERPOLATE %s 2>/dev/null || "
"pdftops -level2 -origpagesizes %s - 2>/dev/null",    
filename, filename);

Controlling the “filename” paramter, if we name a file as follows:

test;ls;.pdf

..well, you get the picture :)