Package: bpfcc-tools Version: 0.26.0+ds-1 Severity: normal Tags: security X-Debbugs-Cc: i...@valdikss.org.ru
Dear Maintainer, Last year there was a Debian fix for the upstream issue of bpfcc package https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028479 The patch was created by Debian maintainer of the package, and is as follows (0001-Cleanup-existing-temporary-kernel-headers-path.patch): --- a/src/cc/frontends/clang/kbuild_helper.cc +++ b/src/cc/frontends/clang/kbuild_helper.cc @@ -215,7 +215,8 @@ dirpath = std::string(dirpath_tmp); if (file_exists(dirpath_tmp)) - return 0; + snprintf(dirpath_tmp, 256, "Cleaning up already existing path %s", dirpath_tmp); + system(("rm -rf " + std::string(dirpath_tmp)).c_str()); // First time so extract it return extract_kheaders(dirpath, uname_data); dirpath_tmp is getenv("TMPDIR") here, obvious code execution. Note that there's no brackets, so the system code with TMPDIR env is executed unconditionally. The exploitation is as simple as that: TMPDIR=';id;' tcpconnect-bfpcc -- System Information: Debian Release: 12.5 APT prefers stable-updatesAPT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/1 CPU thread; PREEMPT)Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bpfcc-tools depends on: ii python3 3.11.2-1+b1 ii python3-bpfcc 0.26.0+ds-1 ii python3-netaddr 0.8.0-2 bpfcc-tools recommends no packages. bpfcc-tools suggests no packages. -- no debconf information
OpenPGP_signature.asc
Description: OpenPGP digital signature