jpeg data prints in smbldap-usershow, corrupts terminal, security risk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
smbldap-tools (Ubuntu) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: smbldap-tools
smbldap-usershow prints out all the attributes attached to that user. Some attributes however, may be binary data, such as JPG image of the individual. Further, at our site, the jpg files are uploaded by the user, and could in theory have specally crafted text targetting xterm to cause a security breach. (Not to mention, it blows away the terminal requiring a reset).
The fix to this is to check each attribute for non-printable charactors, and replace it with a string such as **UNPRINTABLE** if any are found.
(See the following patch)
--- smbldap-
+++ smbldap-
@@ -773,13 +773,15 @@
$mesg->code && die $mesg->error;
foreach my $entry ($mesg-
$lines.= "dn: " . $entry->dn."\n";
foreach my $attr ($entry-
- {
- $lines.= $attr.": ".join(',', $entry-
+ my @vals = $entry-
+ foreach my $val (@vals) {
+ $val="*
}
+ $lines.= $attr.": ".join(',', @vals)."\n";
}
}
chomp $lines;
if ($lines eq '') {
return undef;
Is this symptom still reproducible in 8.10 RC or later?