Processed: Re: Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 882258 1:1.20.0-7
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Marked as found in versions busybox/1:1.20.0-7.
> found 882258 1:1.22.0-9+deb8u1
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Marked as found in versions busybox/1:1.22.0-9+deb8u1.
> found 882258 1:1.22.0-19
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Marked as found in versions busybox/1:1.22.0-19.
> found 882258 1:1.27.2-1
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Ignoring request to alter found versions of bug #882258 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
882258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

[Christoph Biedl]

found 882258 1:1.20.0-7
found 882258 1:1.22.0-9+deb8u1
found 882258 1:1.22.0-19
found 882258 1:1.27.2-1
thanks

Salvatore Bonaccorso wrote...

> Please adjust the affected versions in the BTS as needed, only
> unstable checked so far.

Can help with that: All versions back to and including wheezy are
affected. Luckily the fix applies sanely everywhere, updated packages
will follow ASAP.

Christoph


signature.asc
Description: Digital signature

Processed: severity of 882258 is important, tagging 882258

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 882258 important
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Severity set to 'important' from 'grave'
> tags 882258 + upstream fixed-upstream
Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not 
tab-complete any strings which have control characters
Added tag(s) upstream and fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
882258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters

[Salvatore Bonaccorso]

Source: busybox
Version: 1:1.27.2-1
Severity: grave
Tags: security

Hi,

the following vulnerability was published for busybox. I realize you
know of the issue already but just filling to have a tracking bug as
well in the BTS.

CVE-2017-16544[0]:
| In the add_match function in libbb/lineedit.c in BusyBox through
| 1.27.2, the tab autocomplete feature of the shell, used to get a list
| of filenames in a directory, does not sanitize filenames and results in
| executing any escape sequence in the terminal. This could potentially
| result in code execution, arbitrary file writes, or other attacks.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
[1] 
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

Please adjust the affected versions in the BTS as needed, only
unstable checked so far.

Regards,
Salvatore

Re: Easier installer?

[Thomas Lange]

> On Mon, 20 Nov 2017 10:30:06 -0500, lsore...@csclub.uwaterloo.ca (Lennart 
> Sorensen) said:

> On Sun, Nov 19, 2017 at 12:26:58PM +0100, Thomas Lange wrote:
>> > On Sun, 19 Nov 2017 11:56:35 +0100, Thomas Lange 
 said:
>> 
>> > JFTR, I just look at an openSuse Tumbleweed installation. They are
>> > using a world map for selecting the timezone.
>> And Linux Mint is showing a world map with timezones, but no country 
borders.

> Do they have a zoom?  Otherwise some timezones would be very very hard
> to select.
Have a look at https://www.rootusers.com/install-linux-mint/
Linux Mint does not have a zoom, but you can enter a city on the
bottom. opensuse has a zoom function in the map.
Screenshots: https://www.unixmen.com/opensuse-tumbleweed-last-kde-plasma/
-- 
regards Thomas

Re: Easier installer?

[Samuel Thibault]

Lennart Sorensen, on lun. 20 nov. 2017 10:24:35 -0500, wrote:
> On Sat, Nov 18, 2017 at 09:20:36PM +, Ben Hutchings wrote:
> > Implementing locale selection using a map also runs the risk of getting
> > your software banned in countries that disagree with where you put the
> > borders.
> 
> Also tricky in the non-gui installer, which at least some systems have
> to use (serial or ssh install on systems without graphics).
> 
> Sure those systems are probably not as likely to be the typical simple
> user cases.

Yes, I believe we don't need to support beginner users there :)

Samuel

Re: Easier installer?

[Lennart Sorensen]

On Sun, Nov 19, 2017 at 12:26:58PM +0100, Thomas Lange wrote:
> > On Sun, 19 Nov 2017 11:56:35 +0100, Thomas Lange 
> >  said:
> 
> > JFTR, I just look at an openSuse Tumbleweed installation. They are
> > using a world map for selecting the timezone.
> And Linux Mint is showing a world map with timezones, but no country borders.

Do they have a zoom?  Otherwise some timezones would be very very hard
to select.

-- 
Len Sorensen

Re: Easier installer?

[Lennart Sorensen]

On Sat, Nov 18, 2017 at 09:20:36PM +, Ben Hutchings wrote:
> Implementing locale selection using a map also runs the risk of getting
> your software banned in countries that disagree with where you put the
> borders.

Also tricky in the non-gui installer, which at least some systems have
to use (serial or ssh install on systems without graphics).

Sure those systems are probably not as likely to be the typical simple
user cases.

-- 
Len Sorensen

Re: Easier installer?

[Philip Hands]

On Sat, 18 Nov 2017, "Jonathan Carter (highvoltage)"  wrote:
> Hi Samuel
>
> On 18/11/2017 02:15, Samuel Thibault wrote:
>> Put another way: I *don't* think we want to change this set of
>> questions, we'd just lose users. Thus the other proposal, proposed right
>> from the start of the thread: have *another* panel of questions really
>> meant for beginner, and that advanced users can easily skip, for the 90%
>> cases that often match beginners cases.
>
> +1, because the choice of questions is just one part of the problem. The
> other is that d-i asks some questions, does some work, and then asks
> some more questions. For a simple mode for the 90% of users out there,
> it could ask all the simple questions up front and then continue with
> the work. Right?

The later questions are mostly conditional on the state of the installer
at the time they are asked, so one cannot do a simple-minded automatic
reordering.

Some of them are really about the state of the archive (e.g. the tasksel
menu) which could be pre-processed and then asked early (if we don't
mind losing the option of updating the tasks after the media are built).

Others are things where we could just decide to ask early in a
handcrafted ask-early.udeb that then preseeds the later questions to
avoid them being asked mid-install.

Working out how to ask about partitioning before one knows what disks
are available is not going to be fixed by either approach though.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

getting on the boot list

[Gregory A. Lewis]

how do I subscribe to this list?