Package: release.debian.org Severity: normal Tags: bullseye security User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:ucf
Hello, Please consider accepting src:ucf version 3.0043+deb11u1 into bullseye. This would fix #1089015. [ Reason ] I have recently completed salvaging of src:ucf[1]. As part of code review I discovered a variable inherited from the environment without initialisation which is subsequently passed to eval[2]. Command injection is trivial to demonstrate. The Security team have been consulted and are content to handle this through -pu. To me, the issue appears to be a coding oversight. It is present in all current stable releases. [ Impact ] The security issue will remain. [ Tests ] Manual testing has not exposed any regressions. [ Risks ] The fix is obvious and straightforward. There is a theoretical risk that users might be using this inheritance as an undocumented 'feature'. However, nobody has indicated awareness of this[3] so far. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (but see below) [ Changes ] Initialise 'saved' variable before use to prevent inheritance from the environment. [ Other info ] The fix in unstable/testing is different: the code has been rewritten so as to remove virtually all uses of eval and remove the need to save/restore $@. [1] https://bugs.debian.org/1086847 [2] https://bugs.debian.org/1089015 [3] https://lists.debian.org/debian-devel/2024/12/msg00424.html Thanks Mark
diff -Nru ucf-3.0043+deb11u1/debian/changelog ucf-3.0043/debian/changelog --- ucf-3.0043+deb11u1/debian/changelog 2024-12-23 11:41:23.000000000 +0000 +++ ucf-3.0043/debian/changelog 2020-06-16 06:37:53.000000000 +0100 @@ -1,9 +1,3 @@ -ucf (3.0043+deb11u1) bullseye; urgency=medium - - * Initialise variable subsequently passed to eval. (Closes: #1089015) - - -- Mark Hindley <[email protected]> Mon, 23 Dec 2024 11:41:23 +0000 - ucf (3.0043) unstable; urgency=high * The argument to dpkg-divert needs to be the actual file name, not the diff -Nru ucf-3.0043+deb11u1/ucf ucf-3.0043/ucf --- ucf-3.0043+deb11u1/ucf 2024-12-23 11:41:23.000000000 +0000 +++ ucf-3.0043/ucf 2020-06-16 06:37:53.000000000 +0100 @@ -342,7 +342,6 @@ OLD_SUFFIX="ucf-old" ERR_SUFFIX="merge-error" # save up the cmdline with proper quoting/escaping -saved= for arg in "$@"; do saved="${saved:+$saved }'$(quote_single "$arg")'" done
