Bug 660001

Summary: zypper -n displays license interactively
Product: [openSUSE] openSUSE 11.4 Reporter: Bernhard Wiedemann <bwiedemann>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: dmacvicar, security-team, suse-beta
Version: Factory   
Target Milestone: ---   
Hardware: All   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bernhard Wiedemann 2010-12-16 19:53:05 UTC 
zypper -n displays license text interactively

How To Reproduce:
1. rpm -e --nodeps openSUSE-release
2. zypper -n in openSUSE-release

Actual Results:
zypper will display the license text using less which waits for "q" to be pressed
and then decline to install because --auto-agree-with-licenses was not given.

Expected Results:
zypper -n should be non-interactive.
so use "cat" as pager instead of "less"
Comment 1 Bernhard Wiedemann 2010-12-18 10:38:36 UTC 
the show_in_pager function might be a nice place to check for non-interactiveness


Note: src/utils/pager.cc:57 is
cmdline << "'" << pager << "' '" << file << "'";
which means that neither filename nor pager are allowed to contain apostrophes... and in certain circumstances such contructs can lead to security vulnarabilities (e.g. someone injecting an '`rm -rf /*`')

One better way is to not use apostrophes, but explicitly prefix all non-safe chars (e.g. [^a-zA-Z0-9.,/_-]) with a backslash to escape the special meaning of some characters.
Comment 2 Bernhard Wiedemann 2011-02-20 13:23:50 UTC 
This issue is still in current Factory version.
Comment 3 Christian Boltz 2011-02-20 15:25:19 UTC 
I just verified that comment #1 shows a real problem (if someone can somehow modify your $PAGER):

# PAGER="'"'`touch /tmp/zypper-gotyou`'\''less' zypper dup  # [1]
("normal" zypper output, skipped)
# ls -l /tmp/zypper-gotyou 
-rw-r--r-- 1 root root 0 20. Feb 16:19 /tmp/zypper-gotyou

[1] without quoting (better readable): PAGER='`touch /tmp/zypper-gotyou`'less
Comment 5 Duncan Mac-Vicar 2011-03-18 13:36:57 UTC 
Fixed in master. Will show up in Factory when 1.5.4 gets submitted.

http://www.gitorious.org/opensuse/zypper/commit/6a9c4f3ac459861ff9b00825a2121741fcb60b7c
Comment 6 Christian Boltz 2011-03-18 20:00:06 UTC 
Your commit does not fix the security issue Bernhard described in comment #1 :-(
Comment 7 Ludwig Nussel 2011-03-21 09:56:23 UTC 
WRT security, zypper is not setuid root so modifying $PAGER is no issue.
The file name passed is always a temporary file name generated by the code itself so it won't contain weird characters.
Comment 8 Michael Andres 2013-03-04 12:46:16 UTC 
.