[CVE-2008-5076] htop does not filter non-printable characters in process names

Bug #299627 reported by David Futcher on 2008-11-18
258
Affects Status Importance Assigned to Milestone
htop
Unknown
Unknown
htop (Debian)
Fix Released
Unknown
htop (Fedora)
Fix Released
Medium
htop (Ubuntu)
Undecided
Unassigned
Declined for Gutsy by Andreas Wenning
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned

Bug Description

Binary package hint: htop

Htop writes process names to a terminal without sanitizing non-printable characters, which might allow local users to hide processes, modify arbitrary files, or have unspecified other impact via a process name with "crazy control strings."

htop 0.7 writes process names to a terminal without sanitizing
non-printable characters, which might allow local users to hide processes,
modify arbitrary files, or have unspecified other impact via a process name
with "crazy control strings."

http://www.openwall.com/lists/oss-security/2008/11/02/1
http://www.openwall.com/lists/oss-security/2008/11/14/3
http://bugs.debian.org/504144
http://xforce.iss.net/xforce/xfdb/46321

htop-0.8.1-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc9

htop-0.8.1-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc8

htop-0.8.1-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/htop-0.8.1-2.fc10

David Futcher (bobbo) on 2008-11-18
Changed in htop:
assignee: nobody → bobbo
status: New → In Progress
Changed in htop:
status: Unknown → Confirmed
David Futcher (bobbo) wrote :

Patch that fixes this (taken from Fedora). Applied it inline as it is a small patch and Debian does not provide a patchsys (IIRC, we try not to add patch systems if possible). Builds in a Jaunty pbuilder.

htop-0.8.1-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.

htop-0.8.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

David Futcher (bobbo) on 2008-11-19
Changed in htop:
assignee: bobbo → nobody
status: In Progress → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package htop - 0.8.1-0ubuntu2

---------------
htop (0.8.1-0ubuntu2) jaunty; urgency=low

  * Add patch (inline) to filter non-printable characters in process names.
    Thanks to Andrew O. Shadoura for the patch. (LP: #299627)
    - This bug could be used by an attacker to hide malicious processes.
    - CVE-2008-5076

 -- David Futcher <email address hidden> Tue, 18 Nov 2008 20:42:48 +0000

Changed in htop:
status: Confirmed → Fix Released

htop-0.8.1-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.

How is this applied patch supposed to be working with Unicode characters?

David Futcher (bobbo) wrote :

After reading the code for the last few releases of Htop, all Ubuntu releases all the way back to Dapper are affected by this bug.

Changed in htop:
assignee: nobody → bobbo
status: Fix Released → In Progress
David Futcher (bobbo) wrote :

Currently do not have the time to fix this bug. I will pass it on to someone who knows more about security processes in Ubuntu.

Changed in htop:
assignee: bobbo → nobody
status: In Progress → Confirmed
Changed in htop:
status: Unknown → Fix Released
Changed in htop (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in htop (Ubuntu Intrepid):
assignee: nobody → andreas-wenning
status: New → In Progress
Changed in htop (Ubuntu Hardy):
assignee: nobody → andreas-wenning
status: New → In Progress
Changed in htop (Ubuntu Dapper):
status: New → Confirmed

Here is a debdiff for intrepid fixing this.

And for hardy.

gutsy goes EOL shortly, not worth fixing it there.
Fixing it for dapper will require a little more invasive fix; so i'm not completely sure how to proceed with that one.

Both of the above debdiffs are of course build on that release; and tested.

Changed in htop (Ubuntu Hardy):
assignee: andreas-wenning → nobody
Changed in htop (Ubuntu Intrepid):
assignee: andreas-wenning → nobody
Jamie Strandboge (jdstrand) wrote :

Andreas, thanks for your help on this! :) You uploaded a dsc file for Hardy and not a debdiff. Can you upload the debdiff?

Changed in htop (Ubuntu Hardy):
status: In Progress → Triaged
Jamie Strandboge (jdstrand) wrote :

I forgot to mention: please change the status to 'In Progress' after uploading the hardy debdiff.

This one should be better :)

Changed in htop (Ubuntu Hardy):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Andreas-- the patch for hardy is not correct (FTBFS). Specifically:
- this->chstr[i] = data[j] | attrs;
+ this->chstr[i] = (isprint(data_c[j]) ? data_c[j] : '?') | attrs;

Your changed from data[] to data_c[]. AFAICT data_c doesn't exist in Hardy's code. Please resubmit after testing, mark to In Progress, and please detail the testing performed on Hardy. Thanks!

Changed in htop (Ubuntu Hardy):
status: In Progress → Incomplete

I'm terribly sorry; seems the debdiff juggling did not go well for me this time at all!

Here is the correct debdiff that you should have gotten in the first place. I've started from scratch in a new directory with this debdiff to check that everyting is correct now.

The testing has been operating the program: switching viewmodes, sorting, searching etc.

Same goes for the intrepid debdiff.

Changed in htop (Ubuntu Hardy):
status: Incomplete → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package htop - 0.6.6+svn20070915-1ubuntu0.2

---------------
htop (0.6.6+svn20070915-1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE: Insufficient character filters in htop when displaying
    commands allowed programs that rewrite their program name to inject
    escape sequences. (LP: #299627)
    - CVE-2008-5076
    - Patch taken from upstream svn rev 148; applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Apr 2009 17:43:47 +0200

Changed in htop (Ubuntu Hardy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package htop - 0.8-0ubuntu1.1

---------------
htop (0.8-0ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Insufficient character filters in htop when displaying
    commands allowed programs that rewrite their program name to inject
    escape sequences. (LP: #299627)
    - CVE-2008-5076
    - Patch taken from upstream svn rev 148; applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Apr 2009 17:34:27 +0200

Changed in htop (Ubuntu Intrepid):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in htop (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in htop (Fedora):
importance: Unknown → Medium
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.