Hi Ben, On Sat, Feb 17, 2018 at 09:28:19PM +0000, Ben Hutchings wrote: > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > Hello. > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > upload. > > > > > You can find debdiff along with the mail. > > > > > link: > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > Abhijith, > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > help but wonder if another vulnerability will be uncovered later that > > > > uses different characters that are not being checked. > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > I'm afraid this library appears to have been written without any regard > > > for security, or even the existence of multiuser systems. > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > and I think there are more instances. > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > can still see: > > > > [...] > > > > I've re-added the package to dla-needed.txt for #889759 / > > CVE-2018-3836. Should a new CVE be issued for #885704? > > I think additional CVEs are needed for: > > 1. #890548
This one has CVE-2018-7186. > 2. Incomplete fix for #889759 / CVE-2018-3836 > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > there is a possibility of path traversal and arbitrary file overwrite > 4. #885704 > 5. The remaining hardcoded paths in /tmp Have you already requested CVEs for the other issues? Regards, Salvatore
