Vulnerability

    Global

Affected

    Global-3.55 (NetBSD)

Description

    Following is based on a  NetBSD Security Advisory 2000-014.   When
    using the CGI interface of the Global v3.55 package, it's possible
    to  execute  random  commands.   global  is  a source-code tagging
    system for indexing and searching large bodies of source code.

    The exploit of  this is possible  due to insufficient  handling of
    quoted or  escaped characters  in this  version, and  command line
    arguments that are then handed off to shell commands.

    The  global  port,  versions  3.5  through  to  3.55,  contains  a
    vulnerability in  the CGI  script generated  by the  htags utility
    which  allows  a  remote  attacker  to  execute  code on the local
    system as the user running the script, typically user 'nobody'  in
    most installations.

    If the 'htags -f' command is  used to generate a CGI script  which
    is  then  installed  under  a  webserver,  then  remote  users may
    execute arbitrary commands on the  local system as the user  which
    runs  the  CGI  script.   If  you  have  not chosen to install the
    global port/package, or you have  not used the 'htags -f'  command
    to produce  a CGI  script, then  your system  is not vulnerable to
    this problem.

    The  problem  was  reported  in  NetBSD  PR 11165 by the author of
    global,  Shigio   Yamaguchi.   The   package  updated   by  as   a
    collaboration of Hubert Feyrer and David Brownlee.  Hubert  Feyrer
    also drafted this security advisory.

Solution

    To find  out if  you have  the problematic  version of  the global
    package installed, type

        pkg_info -e global

    If this displays "global-3.55" or  below, you are vulnerable.   If
    this  displays  "global-4.0.1"  or  higher,  your  system  is  not
    vulnerable either.   If this displays  no output at  all, it means
    you don't have the "global" package installed, and your system  is
    not vulnerable.

    If your system is vulnerable,  the best solution is to  upgrade to
    the latest version in pkgsrc,  which is 4.0.1 as of  this writing.
    There are precompiled  binary packages of  global for some  NetBSD
    ports available from:

        ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/devel/global/README.html

    If no precompiled binary is  available for your platform, you  can
    build your own from source.

    To  render  the  vulnerability  unexploitable,  modify  the   file
    'HTML/cgi-bin/global.cgi' around line 35, and change the generated
    HTML from:

        $pattern =~ s/'//g;                     # to shut security hole

    to

        $pattern =~ s/"//g;                     # to shut security hole

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/global-4.0.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/global-4.0.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/global-4.0.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/global-4.0.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/global-4.0.1.tgz