Package: apt-file Version: 2.5.4 Severity: normal Tags: security diffindex-rred treats its parameters as shell expressions because it uses two-argument open[0]. For example, invoking
diffindex-rred '/bin/false |/path/to/malicious/program .gz' at the shell results in the malicious program being executed. This is not what the user expects from a restricted restricted editor. I'm filing this as a normal bug because it isn't remotely exploitable in ordinary usage, since patches cannot contain spaces or pipes (diffindex-download line 296), although one can pass a single option to the decompressor. In order to exploit this, one must explicitly call diffindex-rred with untrusted arguments, and I have no indication it is actually used outside of apt-file, despite being in $PATH. In general, one should never use the two-argument form of open, and several places in the code pass all sorts of things through the shell that should have no interaction with the shell at all. I can't find any that are actually exploitable in typical usage, but I've spent only an hour looking. I recommend a thorough audit. I'm marking this bug as security in case the Security Team wants to issue an advisory, although I suspect they will not (or I would have notified them directly). [0] https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=76775519 -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-file depends on: ii curl 7.42.1-3 ii libapt-pkg-perl 0.1.29+b2 ii libconfig-file-perl 1.50-3 ii liblist-moreutils-perl 0.410-1 ii libregexp-assemble-perl 0.35-8 ii perl 5.20.2-6 ii perl-base [libfile-temp-perl] 5.20.2-6 apt-file recommends no packages. Versions of packages apt-file suggests: ii openssh-client 1:6.7p1-6 ii sudo 1.8.12-1 -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
