1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Fixing src:ucf environmnent variable insecurity in [old]stable

    From Mark Hindley@21:1/5 to All on Thu Dec 19 19:00:01 2024
    Hello,

    I recently completed salvaging of src:ucf[1].

    As part of code cleanup I discovered a variable inherited from the environment which is then passed to eval[2]. Unintended code execution is trivial to demonstrate. To my mind, this is a coding oversight. As the patch in #1089015 shows, the fix is simple and obvious. But I want to be sure that nobody is using
    inheritance of this variable as an undocumented 'feature' before merging the suggested patch.

    The Security Team have already been consulted and are content for this to be handled through stable-pu.

    For completeness, unstable and testing are no longer affected as virtually all uses of eval have been removed.

    Thanks

    Mark

    [1] https://bugs.debian.org/1086847

    [2] https://bugs.debian.org/1089015


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmdkXN8ACgkQ0opFvzKH 1kk9wRAAiRTouqKQIww7azYjIfrxNM49h9UP1FDX3o0udy5sPeHBPusXk5rn1TGD xbKxbIyFbzv2KCbYCH/4OSgmclmSqNy1f9NanFhmLl6bJTuSu63LbRnPJxHefics dlIM7iXcNYyE1j4bcNBH1mymbGx/z0aOdpMzmib07wQZnfOw60M2kmhekHRk+FEW R19JtKPJXC3aJ7n3eJsctPTgoK513WiKiYJLdSGPwoCALJI40ENjPrm1eDFrmEw+ wlu89RxbcIHVgtDqeIO33wjgL6Vu+HcFNoVqZkwHWNsgCV+kmZ/9COxxSLQh/Ah5 p3KHCoxs96fbEQ5QYvmZRivPZd++1+LhZV8BTnV02kpTg3X/hLpbCBGdRtGTbnqr btGGTJmr9llNB2jrF2q+FZll55eYtnzcREUBBY7rDkwwJBLCxvYdTs/w43D/Z5NE O1ZvmEsm7h/K/9bkwj5UcLch4HwV7atdfJhkcWBAfooucNWR/WB7/CV4l+tY3jje yqAtV/JmKkYufuz/p4QAbEG7iuNyLp/yoPSb5mQ22A94qoqaPbphN9eQs/6lc8Va /XRqV4b00XbdJMYu7Zvrtq+5vsU/KudAbFUtjU0RC0ES+mngV+oA5vKDz7m/grCq EflST+lD+6wwuZGW4+z34+RTUbwz69qWgcURFSCGPaHSU3WeL38=
    =N0WT
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Santiago Ruano =?iso-8859-1?Q?Rinc=@21:1/5 to All on Fri Dec 20 04:00:01 2024
    Hi Mark, and thanks for the heads-up,

    CC'ing the LTS mailing list for visibility. BCC'ing debian-devel.

    El 19/12/24 a las 17:50, Mark Hindley escribi�:
    Hello,

    I recently completed salvaging of src:ucf[1].

    As part of code cleanup I discovered a variable inherited from the environment
    which is then passed to eval[2]. Unintended code execution is trivial to demonstrate. To my mind, this is a coding oversight. As the patch in #1089015
    shows, the fix is simple and obvious. But I want to be sure that nobody is using
    inheritance of this variable as an undocumented 'feature' before merging the suggested patch.

    The Security Team have already been consulted and are content for this to be handled through stable-pu.

    For completeness, unstable and testing are no longer affected as virtually all
    uses of eval have been removed.

    Thanks

    Mark

    [1] https://bugs.debian.org/1086847

    [2] https://bugs.debian.org/1089015


    There are not point releases for the LTS release, so if this warrants an
    fix, it should be done via a DLA. Emilio, since you are FD this week,
    would you mind taking a look at this?

    Cheers,

    -- Santiago

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZ2TcIQAKCRAn3j1FEEiG 7/G4AQDNsXUHUU49tWHu+yrFA/HuD3X/qJMPmd2h2jdQbKjZzwD+Ms1djE2mpsJt Q925iK0i3l4M7uw2QUpg/VaTT9UUnw0=
    =GisQ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)