Bug#697136: debhelper: Remote code execution, shell expansion through well-crafted source packages

Tue, 01 Jan 2013 13:09:13 -0800 

Package: debhelper
Version: 9.20120909
Severity: normal

Dear Maintainer,

please put some protection into the debhelper suite against mal-formed
package names in debian/control. There actually is a check by
dh_builddeb but that's rather late in the build process. Until then,
the name is taken as-is, even in shell expansions, allowing remote
code execution through well-crafted source packages. This is not as
bad as it seems since debian/rules already allows any mess you could
think of. Still it's annoying and surprising.

There are at least two places:

1. In dh_clean

    complex_doit("rm -f debian/$ext*.debhelper");

There is no check against binary package names as odd as

    Package: bug;date -u #

(loaded into $ext), therefore dh_clean which will execute 'date -u'
and continue.

Later in the build, dh_md5sums will fail, causing an abort.

2. In /usr/share/perl5/Debian/Debhelper/Dh_Lib.pm

    complex_doit("perl -pe 's~#DEBHELPER#~qx{cat 
debian/$ext$script.debhelper}~eg' < $file > $tmp/DEBIAN/$script")

A binary package name containing the illegal character ~ will result
in an error message if that code path is hit e.g. by providing .init
and .postinst with the '#DEBHELPER' tag.

Such a name (again in $ext) breaks the expression in a surprising way.
Sorting out the order of evaluation in the line above is left as en
exercise to the reader.


As said above, there are easier ways to compromise a buildd, hence
severity is set to normal instead of grave, security. But bad input
should be dealt with in an obvious way, not by breaking the build
process at surprising places.

Cheers,

    Christoph

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.4.24 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages debhelper depends on:
ii  binutils    2.22-7.1
ii  dpkg        1.16.9
ii  dpkg-dev    1.16.9
ii  file        5.11-2
ii  html2text   1.3.2a-15
ii  man-db      2.6.2-1
ii  perl        5.14.2-16
ii  po-debconf  1.0.16+nmu2

debhelper recommends no packages.

Versions of packages debhelper suggests:
ii  dh-make  0.61

-- no debconf information

Attachment: signature.asc
Description: Digital signature

Reply via email to