Your message dated Wed, 02 Sep 2015 21:48:30 +0200 with message-id <[email protected]> and subject line Re: Bug#697136: debhelper: Remote code execution, shell expansion through well-crafted source packages has caused the Debian Bug report #697136, regarding debhelper: Remote code execution, shell expansion through well-crafted source packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 697136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697136 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: debhelper Version: 9.20120909 Severity: normal Dear Maintainer, please put some protection into the debhelper suite against mal-formed package names in debian/control. There actually is a check by dh_builddeb but that's rather late in the build process. Until then, the name is taken as-is, even in shell expansions, allowing remote code execution through well-crafted source packages. This is not as bad as it seems since debian/rules already allows any mess you could think of. Still it's annoying and surprising. There are at least two places: 1. In dh_clean complex_doit("rm -f debian/$ext*.debhelper"); There is no check against binary package names as odd as Package: bug;date -u # (loaded into $ext), therefore dh_clean which will execute 'date -u' and continue. Later in the build, dh_md5sums will fail, causing an abort. 2. In /usr/share/perl5/Debian/Debhelper/Dh_Lib.pm complex_doit("perl -pe 's~#DEBHELPER#~qx{cat debian/$ext$script.debhelper}~eg' < $file > $tmp/DEBIAN/$script") A binary package name containing the illegal character ~ will result in an error message if that code path is hit e.g. by providing .init and .postinst with the '#DEBHELPER' tag. Such a name (again in $ext) breaks the expression in a surprising way. Sorting out the order of evaluation in the line above is left as en exercise to the reader. As said above, there are easier ways to compromise a buildd, hence severity is set to normal instead of grave, security. But bad input should be dealt with in an obvious way, not by breaking the build process at surprising places. Cheers, Christoph -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.4.24 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages debhelper depends on: ii binutils 2.22-7.1 ii dpkg 1.16.9 ii dpkg-dev 1.16.9 ii file 5.11-2 ii html2text 1.3.2a-15 ii man-db 2.6.2-1 ii perl 5.14.2-16 ii po-debconf 1.0.16+nmu2 debhelper recommends no packages. Versions of packages debhelper suggests: ii dh-make 0.61 -- no debconf information
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Control: tags -1 wontfix On Wed, 2 Jan 2013 12:45:35 -0400 Joey Hess <[email protected]> wrote: > No, I refuse to allow debian/control to become a security boundry > which I have to worry about. There are too many legitimate ones in the > world. > > -- > see shy jo Hi, I agree with Joey on this one. At the point you start the build, you are trusting the package (upstream build included) to not brick/take over your machine. Arbitrary code execution in a package build is a dime a dozen. You can much easier hide something in the upstream build, which would not stand out (unlike the given examples). That said, there are certainly other programs that need to be a lot more careful than debhelper. As an example, I can mention Lintian. If you were able to reproduce such an issue while running such a program on a crufted package, please do send the security team a notification. Thanks, ~Niels
--- End Message ---
