The Samba-Bugzilla – Bug 13710
smbclient more: potential security vulnerability with bad PAGER env
Last modified: 2018-12-13 07:46:36 UTC
on line 696
pager_cmd = talloc_asprintf(ctx, "%s %s",(pager? pager:DEFAULT_PAGER), lname);
rc = system(pager_cmd);
system() is called on the command specified by the systems environmental variable PAGER, since this command is specified by the user's environment it is potentially dangerous. Some kind of sanity check should be added to check that the pager command is safe.
Thanks for reporting this issue. However please report any security issues directly to our security team. Details are at:
On this particular issue:
I can imagine some very limited situations where a trusted script from a restricted shell with a fixed output (yet somehow calling the subcommand 'more', and so PAGER, so not get/put) could allow a break-out, but this really is a long bow.
If someone has control over smbclient, this (man smbclient) would be faster and simpler:
! [shell command]
If shell command is specified, the ! command will execute a shell locally and run the specified shell command. If no command is specified, a local shell
will be run.
I also can't really think how you could sanitize $PAGER with any practicality.
Finally, source4/client/client.c is bin/smbclient4, which is not installed. (The same code is in the production smbclient however).
I'm therefore going to close this as WONTFIX, but am happy to hear other views.