Bug#883889: marked as done (which-pkg-broke: untrusted search path)

Debian Bug Tracking System Fri, 20 Jul 2018 17:10:11 -0700

Your message dated Sat, 21 Jul 2018 00:04:57 +0000
with message-id <[email protected]>
and subject line Bug#883889: fixed in debian-goodies 0.81
has caused the Debian Bug report #883889,
regarding which-pkg-broke: untrusted search path
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
883889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883889
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: debian-goodies
Version: 0.79
Tags: security patch

which-pkg-broke can inadvertently execute binaries from the currentworking directory. Proof of concept:


   $ printf '#!/bin/sh\napt-get moo>/dev/tty' > apt-cache
   $ chmod u+x apt-cache
   $ command -v apt-cache
   /usr/bin/apt-cache
   $ which-pkg-broke debian-goodies
                    (__)
                    (oo)
              /------\/
             / |    ||
            *  /\---/\
               ~~   ~~
   ..."Have you mooed today?"...
   debian-goodies                                         Fri Nov 24 22:39:04 
2017


This happens because:
1) w-p-b removes all environment variables when spawning subprocesses.

2) When PATH is missing, Python falls back to ":/bin:/usr/bin", whichhas cwd in the front: https://bugs.python.org/issue26414

(This is unfortunate, but consistent with what glibc historically did.)

Patch attached.


-- System Information:
Architecture: i386

Versions of packages debian-goodies recommends:
ii  apt                        1.6~alpha5
ii  curl                       7.57.0-1
ii  dctrl-tools                2.24-2+b1
ii  elfutils                   0.170-0.1
ii  libipc-system-simple-perl  1.25-3
ii  man-db                     2.7.6.1-4
ii  perl                       5.26.1-3
un  popularity-contest         <none>
ii  procps                     2:3.3.12-3
ii  python3                    3.6.3-2
ii  sensible-utils             0.0.11
ii  whiptail                   0.52.20-1+b1
ii  dialog                     1.3-20160828-2
un  zenity                     <none>

--
Jakub Wilk

diff --git a/which-pkg-broke b/which-pkg-broke
index 4f53139..c0bd621 100755
--- a/which-pkg-broke
+++ b/which-pkg-broke
@@ -9,12 +9,15 @@ import time
 from string import *
 from stat import *
 
+def force_posix_locale():
+    os.environ['LC_ALL'] = 'C'
+
 def pkgdeps(pkg):
     apt_cache = subprocess.Popen(
         ['apt-cache', 'depends', pkg],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         universal_newlines=True,
-        env={} # force POSIX locale
+        preexec_fn=force_posix_locale,
     )
     deps = []
     for myline in apt_cache.stdout:
@@ -49,7 +52,7 @@ def localarchitectures():
         ['dpkg', '--print-architecture'],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         universal_newlines=True,
-        env={} # force POSIX locale
+        preexec_fn=force_posix_locale,
     )
     for arch in dpkg_arch.stdout.readlines():
         architectures.append(arch.rstrip())
@@ -59,7 +62,7 @@ def localarchitectures():
             ['dpkg', '--print-foreign-architecture'],
             stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
             universal_newlines=True,
-            env={} # force POSIX locale
+            preexec_fn=force_posix_locale,
             )
         for arch in dpkg_archs.stdout.readlines():
             architectures.append(arch.rstrip())

--- End Message ---

--- Begin Message ---

Source: debian-goodies
Source-Version: 0.81

We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated debian-goodies package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 Jul 2018 01:30:15 +0200
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.81
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Description:
 debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 883889
Changes:
 debian-goodies (0.81) unstable; urgency=medium
 .
   [ Jakub Wilk ]
   * which-pkg-broke: Enforce POSIX ("C") locale without resetting $PATH to
     Python's default search path which includes the current directory and
     is hence a security issue. (Closes: #883889)
Checksums-Sha1:
 fb12fd1aec68d25f60b982e0ef87499729427e5c 1631 debian-goodies_0.81.dsc
 d7665bfd69efafdd46861a2aff47144bf2119c0d 65888 debian-goodies_0.81.tar.xz
 7108b9462760adfae1cd4d9697c07821ca30be49 82404 debian-goodies_0.81_all.deb
 cc26074bab94aeada35581799d0d553041c41159 5544 
debian-goodies_0.81_amd64.buildinfo
Checksums-Sha256:
 0dc8d9e1a146bf2ff61cf84b2a45d8b04800f0adc7585adb96cf3f2b3906cac4 1631 
debian-goodies_0.81.dsc
 85691e10c8f28b8a64b27ed08b6ee465e65e9fe05bf6d8b12b8e591ae2f37278 65888 
debian-goodies_0.81.tar.xz
 31f191115f526e8d4c4a2b4a98488b29f01d3c93930b980d16b97f9a0d0ed472 82404 
debian-goodies_0.81_all.deb
 a327173992703e22f3707821ea19129f0ebb5b49882099e72af137415c129ce7 5544 
debian-goodies_0.81_amd64.buildinfo
Files:
 aae30d3af69559a063c9d0564851f3f4 1631 utils optional debian-goodies_0.81.dsc
 39da543dfc6ca485a9ea426fb2e233be 65888 utils optional 
debian-goodies_0.81.tar.xz
 05010d10e24f5542954c653c7d2f952a 82404 utils optional 
debian-goodies_0.81_all.deb
 5de72d422b220bb5cfd051ea49ec4fa0 5544 utils optional 
debian-goodies_0.81_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAltScPAACgkQa+Zjx1o1
yXUK3g//dY4L5vQT88JyBMYw9xQOYE+lEuBwq4iuPOrFsueKUqwZsf6/gonpiKnr
TKddjp7nMB4zXNCJEGBa6UI+k+WO+P+OoeLmO/97HSGnCw1qJg3zB7SXlBPSs5Tr
hTER+96q6QKu4Nssre1yLubHk5MwCvmszDv7dXB//6mHGUCYq74Qluqq18KQ6xiY
H+m3WG9ZahGTfZe+t0Ftyse6YLg35pWwtTb/fSuz6iy80OQntzRazvxLxjmlwQKJ
admowNWUEFhnwk/Wie4LJvHAvXWWY80+UBikgM2TpzffrihhAIcVYgpT8YDmN1/J
omCYw0RFZvS6LNZ969DZdrJOs+8M9UabyqJP/4QvAFrB6oaAWs8b2I9oynHCoUVf
VY9Bgz0oUjGWBY/jqzNqFHX214Yn3EDu84coT37u8FhBJhcMJB9rN53oa4z8uJw8
Lju1WwhsYAqjfww8xcqN88jSvS1cTPrwPyLLPgz8oSambKjnYHcpEi3v9qNM4RQK
OKf6T9Jdq4itjgN/C0HU+u8sOWNWfZ0074riKhxWDskzpKdLFpuuue/fQofvz9TF
LIS4AgzXmZQlrylxRn2NCx0enCV0iManJgfL5uLUgveaJOQIUl/NdNo1dJEPn6yB
o1ZM3NDfVMT7+g7mIOdo9A9zyxnnzilNcMHTtd2snHbJF3BAKAU=
=QGch
-----END PGP SIGNATURE-----

--- End Message ---

Bug#883889: marked as done (which-pkg-broke: untrusted search path)

Reply via email to