[Pkg-pascal-devel] pasdoc CVE-2017-17527

Michalis Kamburelis michalis.kambi at gmail.com
Fri Dec 15 09:12:02 UTC 2017

2017-12-15 9:02 GMT+01:00 Paul Gevers <elbrus at debian.org>:
> Hi Michalis,
> I assume someone already contacted you about CVE-2017-17527 right?
> delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate
> strings before launching the program specified by the BROWSER
> environment variable, which might allow remote attackers to conduct
> argument-injection attacks via a crafted URL.
> https://security-tracker.debian.org/tracker/CVE-2017-17527

No, nobody contacted me or the pasdoc-main mailing list about this
CVE. This is the first time I hear about it...

And the CVE is somewhat irrelevant, to be honest. It talks about a
piece of unused code (BrowserCommand is never used) inside an unused
project (delphi_gui). Details:

1. delphi_gui/xxx is not actively maintained, and it was never
included in PasDoc releases (official ones from
pasdoc.sourceforge.net, or the Debian packages). I guess that the
author of this CVE just searched the web, found this line:
... and reported it.

2. If we look at delphi_gui/ code, we can see that the $BROWSER is
never actually executed this way.  Inside
, the constant DefaultWWWBrowserCommand is only used to eventually
(through the main form) initialize TWWWBrowserRunner.BrowserCommand.
But the TWWWBrowserRunner.BrowserCommand is not used by anything. The
code inside TWWWBrowserRunner.RunBrowser is only implemented for
32-bit Windows, and there it uses a Windows-specific way to open a
browser, without looking at the BrowserCommand .

    The reason it's OK is that Delphi was originally only for 32-bit
Windows, nobody cared to adjust delphi_gui for other OSes.

    The reason why we have BrowserCommand is that someone (maybe it
was me :), but it was a long time ago) planned to port this code to
other OSes. And eventually it was ported: We now have GUI (maintained)
inside the  gui/ subdirectory, using Lazarus. This is the official
pasdoc_gui, build and distributed. However, in that GUI, the problem
is solved by just calling the OpenURL function from Lazarus LCL. So we
don't have BrowserCommand and the relevant security risk. (Search
for OpenURL.)

Bottom line: I can simply remove the whole BrowserCommand. Which I did
(the links from this mail point to the GIT state before removal), in
this commit: https://github.com/pasdoc/pasdoc/commit/221efcb419ece10674dc402c76daa8356c7cf35c
. Maybe I'll remove whole delphi_gui too, eventually, since it's not
maintained anymore.

If you can pass this information to the authors of this CVE, I would
be grateful :)


More information about the Pkg-pascal-devel mailing list