Package: release.debian.org Severity: normal Tags: bookworm security User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:ucf
Hello, Please consider accepting src:ucf version 3.0043+nmu1+deb12u1 into bookworm. This would fix #1089015. [ Reason ] I have recently completed salvaging of src:ucf[1]. As part of code review I discovered a variable inherited from the environment without initialisation which is subsequently passed to eval[2]. Command injection is trivial to demonstrate. The Security team have been consulted and are content to handle this through -pu. To me, the issue appears to be a coding oversight. It is present in all current stable releases. [ Impact ] The security issue will remain. [ Tests ] Manual testing has not exposed any regressions. [ Risks ] The fix is obvious and straightforward. There is a theoretical risk that users might be using this inheritance as an undocumented 'feature'. However, nobody has indicated awareness of this[3] so far. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (but see below) [ Changes ] Initialise 'saved' variable before use to prevent inheritance from the environment. [ Other info ] The fix in unstable/testing is different: the code has been rewritten so as to remove virtually all uses of eval and remove the need to save/restore $@. [1] https://bugs.debian.org/1086847 [2] https://bugs.debian.org/1089015 [3] https://lists.debian.org/debian-devel/2024/12/msg00424.html Thanks Mark
dpkg-source: warning: extracting unsigned source package (/home/mark/src/debian/build/ucf_3.0043+nmu1.dsc) diff -Nru ucf-3.0043+nmu1/debian/changelog ucf-3.0043+nmu1+deb12u1/debian/changelog --- ucf-3.0043+nmu1/debian/changelog 2023-01-27 13:29:51.000000000 +0000 +++ ucf-3.0043+nmu1+deb12u1/debian/changelog 2024-12-20 07:39:40.000000000 +0000 @@ -1,3 +1,9 @@ +ucf (3.0043+nmu1+deb12u1) bookworm; urgency=medium + + * Initialise variable subsequently passed to eval. (Closes: #1089015) + + -- Mark Hindley <[email protected]> Fri, 20 Dec 2024 07:39:40 +0000 + ucf (3.0043+nmu1) unstable; urgency=medium * Non-maintainer upload. diff -Nru ucf-3.0043+nmu1/ucf ucf-3.0043+nmu1+deb12u1/ucf --- ucf-3.0043+nmu1/ucf 2023-01-27 13:29:51.000000000 +0000 +++ ucf-3.0043+nmu1+deb12u1/ucf 2024-12-20 07:39:40.000000000 +0000 @@ -342,6 +342,7 @@ OLD_SUFFIX="ucf-old" ERR_SUFFIX="merge-error" # save up the cmdline with proper quoting/escaping +saved= for arg in "$@"; do saved="${saved:+$saved }'$(quote_single "$arg")'" done
