Package: apt-file
Version: 2.5.4
Severity: normal
Tags: security
diffindex-rred treats its parameters as shell expressions because it
uses two-argument open[0]. For example, invoking
diffindex-rred '/bin/false |/path/to/malicious/program .gz'
at the shell results in the malicious program being executed. This is
not what the user expects from a restricted restricted editor.
I'm filing this as a normal bug because it isn't remotely exploitable in
ordinary usage, since patches cannot contain spaces or pipes
(diffindex-download line 296), although one can pass a single option to
the decompressor. In order to exploit this, one must explicitly call
diffindex-rred with untrusted arguments, and I have no indication it is
actually used outside of apt-file, despite being in $PATH.
In general, one should never use the two-argument form of open, and
several places in the code pass all sorts of things through the shell
that should have no interaction with the shell at all. I can't find any
that are actually exploitable in typical usage, but I've spent only an
hour looking. I recommend a thorough audit.
I'm marking this bug as security in case the Security Team wants to
issue an advisory, although I suspect they will not (or I would have
notified them directly).
[0]
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=76775519
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt-file depends on:
ii curl 7.42.1-3
ii libapt-pkg-perl0.1.29+b2
ii libconfig-file-perl1.50-3
ii liblist-moreutils-perl 0.410-1
ii libregexp-assemble-perl0.35-8
ii perl 5.20.2-6
ii perl-base [libfile-temp-perl] 5.20.2-6
apt-file recommends no packages.
Versions of packages apt-file suggests:
ii openssh-client 1:6.7p1-6
ii sudo1.8.12-1
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature