On 2018-02-15 21:34:48, Ben Hutchings wrote: > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: >> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: >> > Hello. >> > >> > I prepared LTS security update for leptonlib. Please review and upload. >> > You can find debdiff along with the mail. >> > link: >> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc >> > >> >> Abhijith, >> >> I have reviewed and uploaded the package. While you backported the >> upstream fix, I feel like their approach falls under item #2 of "The Six >> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot >> help but wonder if another vulnerability will be uncovered later that >> uses different characters that are not being checked. > > I found one already: it filters out `command` but not $(command). > > I'm afraid this library appears to have been written without any regard > for security, or even the existence of multiuser systems. > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > and I think there are more instances. > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > can still see:
[...] I've re-added the package to dla-needed.txt for #889759 / CVE-2018-3836. Should a new CVE be issued for #885704? A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together. - Aboriginal activists group, Queensland, 1970s