Command Injection due to lack of sanitisation of .bdf filename

[firmianay]

hi, great project!

I found a vulnerability that seems to exist. Due to lack of proper validation of .bdf filename, this vulnerability allows to inject arbitrary commands and execute them.

bImport -> FVImportBDF -> _SFImportBDF -> system(buf)

static BDFFont *_SFImportBDF(SplineFont *sf, char *filename,int ispk, int toback, EncMap *map) {
    int i;
    char *pt, *temp=NULL;
    char buf[1500];
    BDFFont *ret;

    pt = strrchr(filename,'.');
    i = -1;
    if ( pt!=NULL ) for ( i=0; compressors[i].ext!=NULL; ++i )
	if ( strcmp(compressors[i].ext,pt+1)==0 )
    break;
    if ( i==-1 || compressors[i].ext==NULL ) i=-1;
    else {
	sprintf( buf, "%s %s", compressors[i].decomp, filename );
	if ( system(buf)==0 )
	    *pt='\0';
	else {

[firmianay]

In addition, there may be some overflow problems, such as the getFontForgeUserDir function, because the length of the environment variable is not checked, which may cause the stack overflow of buffer in getPfaEditEncodings

static char *getPfaEditEncodings(void) {
    static char *encfile=NULL;
    char buffer[1025];
    char *ffdir;

    if ( encfile!=NULL )
        return encfile;
    ffdir = getFontForgeUserDir(Config);
    if ( ffdir==NULL )
        return NULL;
    sprintf(buffer,"%s/Encodings.ps", ffdir);
    free(ffdir);
    encfile = copy(buffer);
    return encfile;
}

[skef]

https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1

[firmianay]

https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1

ok, sorry to bother you guys, I didn't mean any harm.

[ctrlcctrlv]

Yes, no problem at all. Thanks for the report. :)

[ctrlcctrlv]

I think this one is serious enough in that it's easy enough to exploit that I will prepare a patch, regardless of §D1, which is just a guideline and not a rule.

[ctrlcctrlv]

@firmianay Is it okay with you if I consider this bug to involve only the system(buf) exploit in _SFImportBDF, and you can open another one at your option for the buffer overflow in getPfaEditEncodings if you still care about it, which in my mind does indeed fall under the general §D1 guideline and so I'm not interested in patching it?,

[firmianay]

@ctrlcctrlv Thanks for the reply, it's okay for me to only deal with system(buf) issue, and I respect this guideline too.

[ctrlcctrlv]

OK, will do. :)

While in a perfect world all the untrusted input issues could be fixed, there are just way too many for anyone to tackle, and I wouldn't want to mislead users by even trying to do some kind of audit into thinking they're all fixed, as that likely won't be the case...

But the system(buf) issue for me at least is one that's so easy to exploit it should actually be fixed as it wouldn't really require much complex fashioning at all