Bug#901572: acccheck: CVE-2018-12268: Patch proposal

Mon, 03 Sep 2018 00:49:02 -0700 

tags 901572 + patch
user p...@reseau-libre.net
usertags pkg-security-team

thanks

Hello,
I've updated the acccheck.pl behavior to correct (i hope) the CVE-2018-12268. User and password input files are sanitized before any use in the generated commandline string. The patch is given attached to this mail.
Nevertheless, the package doesn't have separated branches for stretch and unstable releases, which leads to d/changelog files being denoted as targetting for 'unstable' even in the stetch package. In the given patch, the only missing point is the "stretch-security" naming of the target, as it whould be better to separate into two branches first. 

Cheers,
--
Philippe Thierry.
diff -Nru acccheck-0.2.1/debian/changelog acccheck-0.2.1/debian/changelog
--- acccheck-0.2.1/debian/changelog	2016-11-08 14:36:12.000000000 +0100
+++ acccheck-0.2.1/debian/changelog	2018-08-31 21:28:02.000000000 +0200
@@ -1,3 +1,13 @@
+acccheck (0.2.1-4) unstable; urgency=high
+
+  * Team-upload.
+
+  [ Philippe Thierry ]
+  * Fixes CVE-2018-12268 (command injection via user or password file)
+  * Closes: #901572
+
+ -- Philippe Thierry <p...@reseau-libre.net>  Fri, 31 Aug 2018 21:28:02 +0200
+
 acccheck (0.2.1-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru acccheck-0.2.1/debian/patches/series acccheck-0.2.1/debian/patches/series
--- acccheck-0.2.1/debian/patches/series	2016-11-08 14:36:12.000000000 +0100
+++ acccheck-0.2.1/debian/patches/series	2018-08-31 21:28:02.000000000 +0200
@@ -1 +1,2 @@
 amend-usage-output
+shell_escape_fix.patch
diff -Nru acccheck-0.2.1/debian/patches/shell_escape_fix.patch acccheck-0.2.1/debian/patches/shell_escape_fix.patch
--- acccheck-0.2.1/debian/patches/shell_escape_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ acccheck-0.2.1/debian/patches/shell_escape_fix.patch	2018-08-31 21:28:02.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Fixes vulnerability in users and passwords file usage
+ This bug allow remote command injection (CVE-2018-12268)
+Author: Philippe Thierry <p...@reseau-libre.net>:w
+Bug-Debian: https://bugs.debian.org/901571 
+--- a/acccheck.pl
++++ b/acccheck.pl
+@@ -88,6 +88,20 @@
+ $userFile=0;
+ $verbose=0;
+ 
++# first of all, sanitizing non-printable chars
++sub sanitize
++{
++  foreach $item (@_) {
++      # ASCII printable chars only
++      $item =~ s/[^[:print:]]//g;
++      # Fixes: CVE-2018-12268
++      # single quoting is used for escaping when executing smbclient.
++      # Any single quote found in the string must be escaped using autonmous
++      # explicit single quoted string
++      $item =~ s/'/'\\''/g;
++  }
++}
++
+ #main
+ {
+ 	$SIG{"INT"} = "cleanup";
+@@ -142,11 +156,15 @@
+ 	}
+ 	if($passFile == 1)
+ 	{
+-		tie @PASS_LIST, 'Tie::File', $PASSFILE or die "cannot open $PASSFILE file";
++		tie @UNSAFE_PASS_LIST, 'Tie::File', $PASSFILE or die "cannot open $PASSFILE file";
++        @PASS_LIST = @UNSAFE_PASS_LIST;
++        sanitize(@PASS_LIST);
+ 	}
+ 	if($userFile == 1)
+ 	{
+-		tie @USER_LIST, 'Tie::File', $USERFILE or die "cannot open $USERFILE file";
++		tie @UNSAFE_USER_LIST, 'Tie::File', $USERFILE or die "cannot open $USERFILE file";
++        @USER_LIST = @UNSAFE_USER_LIST;
++        sanitize(@USER_LIST);
+ 	}
+ 
+

Reply via email to