Hi, On Wed, Apr 03, 2024 at 02:31:01PM +0700, ValdikSS wrote: > Package: bpfcc-tools > Version: 0.26.0+ds-1 > Severity: normal > Tags: security > X-Debbugs-Cc: i...@valdikss.org.ru > > Dear Maintainer, > > Last year there was a Debian fix for the upstream issue of bpfcc package > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028479 > > The patch was created by Debian maintainer of the package, and is as follows > (0001-Cleanup-existing-temporary-kernel-headers-path.patch): > > --- a/src/cc/frontends/clang/kbuild_helper.cc > +++ b/src/cc/frontends/clang/kbuild_helper.cc > @@ -215,7 +215,8 @@ > dirpath = std::string(dirpath_tmp); > > if (file_exists(dirpath_tmp)) > - return 0; > + snprintf(dirpath_tmp, 256, "Cleaning up already existing path %s", > dirpath_tmp); > + system(("rm -rf " + std::string(dirpath_tmp)).c_str()); > > // First time so extract it > return extract_kheaders(dirpath, uname_data); > > > dirpath_tmp is getenv("TMPDIR") here, obvious code execution. Note that > there's no brackets, so the system code with TMPDIR env is executed > unconditionally. > > The exploitation is as simple as that: > > TMPDIR=';id;' tcpconnect-bfpcc
FWIW, there is https://security-tracker.debian.org/tracker/CVE-2024-2314 for the (original) issue. So I guess you could drop the Debian specific patch addition and use the upstream fix in v0.30.0. (but have not fully verified). Regards, Salvatore
