tags 901572 + patch user p...@reseau-libre.net usertags pkg-security-team
thanks Hello,I've updated the acccheck.pl behavior to correct (i hope) the CVE-2018-12268. User and password input files are sanitized before any use in the generated commandline string. The patch is given attached to this mail.
Nevertheless, the package doesn't have separated branches for stretch and unstable releases, which leads to d/changelog files being denoted as targetting for 'unstable' even in the stetch package. In the given patch, the only missing point is the "stretch-security" naming of the target, as it whould be better to separate into two branches first.
Cheers, -- Philippe Thierry.
diff -Nru acccheck-0.2.1/debian/changelog acccheck-0.2.1/debian/changelog --- acccheck-0.2.1/debian/changelog 2016-11-08 14:36:12.000000000 +0100 +++ acccheck-0.2.1/debian/changelog 2018-08-31 21:28:02.000000000 +0200 @@ -1,3 +1,13 @@ +acccheck (0.2.1-4) unstable; urgency=high + + * Team-upload. + + [ Philippe Thierry ] + * Fixes CVE-2018-12268 (command injection via user or password file) + * Closes: #901572 + + -- Philippe Thierry <p...@reseau-libre.net> Fri, 31 Aug 2018 21:28:02 +0200 + acccheck (0.2.1-3) unstable; urgency=medium * Team upload. diff -Nru acccheck-0.2.1/debian/patches/series acccheck-0.2.1/debian/patches/series --- acccheck-0.2.1/debian/patches/series 2016-11-08 14:36:12.000000000 +0100 +++ acccheck-0.2.1/debian/patches/series 2018-08-31 21:28:02.000000000 +0200 @@ -1 +1,2 @@ amend-usage-output +shell_escape_fix.patch diff -Nru acccheck-0.2.1/debian/patches/shell_escape_fix.patch acccheck-0.2.1/debian/patches/shell_escape_fix.patch --- acccheck-0.2.1/debian/patches/shell_escape_fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ acccheck-0.2.1/debian/patches/shell_escape_fix.patch 2018-08-31 21:28:02.000000000 +0200 @@ -0,0 +1,45 @@ +Description: Fixes vulnerability in users and passwords file usage + This bug allow remote command injection (CVE-2018-12268) +Author: Philippe Thierry <p...@reseau-libre.net>:w +Bug-Debian: https://bugs.debian.org/901571 +--- a/acccheck.pl ++++ b/acccheck.pl +@@ -88,6 +88,20 @@ + $userFile=0; + $verbose=0; + ++#Â first of all, sanitizing non-printable chars ++sub sanitize ++{ ++ foreach $item (@_) { ++ #Â ASCII printable chars only ++ $item =~ s/[^[:print:]]//g; ++ #Â Fixes: CVE-2018-12268 ++ # single quoting is used for escaping when executing smbclient. ++ # Any single quote found in the string must be escaped using autonmous ++ # explicit single quoted string ++ $item =~ s/'/'\\''/g; ++ } ++} ++ + #main + { + $SIG{"INT"} = "cleanup"; +@@ -142,11 +156,15 @@ + } + if($passFile == 1) + { +- tie @PASS_LIST, 'Tie::File', $PASSFILE or die "cannot open $PASSFILE file"; ++ tie @UNSAFE_PASS_LIST, 'Tie::File', $PASSFILE or die "cannot open $PASSFILE file"; ++ @PASS_LIST = @UNSAFE_PASS_LIST; ++ sanitize(@PASS_LIST); + } + if($userFile == 1) + { +- tie @USER_LIST, 'Tie::File', $USERFILE or die "cannot open $USERFILE file"; ++ tie @UNSAFE_USER_LIST, 'Tie::File', $USERFILE or die "cannot open $USERFILE file"; ++ @USER_LIST = @UNSAFE_USER_LIST; ++ sanitize(@USER_LIST); + } + +