Package: dpkg
Version: 1.14.23
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu ubuntu-patch jaunty
When --instdir is used, dpkg calls chroot(instdir) but forgets to call
chdir("/") afterwards, so the current working directory is left outside
the chroot. This has been known to trigger kernel bugs (e.g.
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/251223).
I'm filing this not because the bug above was actually dpkg's fault as
such - it was clearly an Ubuntu kernel bug - but because it's clearly
good practice to make sure the current working directory is inside the
chroot. For example, without doing this, a malicious process could break
out of the chroot using fchdir(). I'm not sure if people use dpkg in a
context where this is an important security assumption, but this should
be fixed in case they do.
Thanks,
--
Colin Watson [[email protected]]
diff -Nru dpkg.orig/src/help.c dpkg/src/help.c
--- dpkg.orig/src/help.c 2008-08-26 14:52:08.000000000 +0100
+++ dpkg/src/help.c 2008-11-01 01:50:50.000000000 +0000
@@ -153,6 +153,7 @@
if (*instdir) {
if (chroot(instdir)) ohshite(_("failed to chroot to `%.250s'"),instdir);
+ if (chdir("/")) ohshite(_("failed to chdir to `%.255s'"),"/");
}
if (f_debug & dbg_scripts) {
fprintf(stderr,"D0%05o: fork/exec %s (",dbg_scripts,path);
