Your message dated Thu, 28 Feb 2019 21:03:39 +0000 with message-id <e1gzsqb-000e04...@fasolo.debian.org> and subject line Bug#920269: fixed in groff 1.22.4-3 has caused the Debian Bug report #920269, regarding groff: gropdf can execute arbitrary commands to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920269: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: groff Version: 1.22.4-2 Severity: grave Tags: security Justification: user security hole According to the gropdf(1) man page: gropdf [-dels] [-F dir] [-I dir] [-p paper-size] [-u [cmapfile]] [-y foundry] [file ...] but providing a "filename" with a pipe character can yield an arbitrary command execution: $ touch foo $ ls foo foo $ gropdf "rm foo|" $ ls foo ls: cannot access 'foo': No such file or directory $ The reason is that gropdf is a Perl script that uses the insecure null filehandle "<>". The perlop(1) man page says: Since the null filehandle uses the two argument form of "open" in perlfunc it interprets special characters, so if you have a script like this: while (<>) { print; } and call it with "perl dangerous.pl 'rm -rfv *|'", it actually opens a pipe, executes the "rm" command and reads "rm"'s output from that pipe. BTW, I fear that's not the only Perl script that is affected by such a bug. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages groff depends on: ii groff-base 1.22.4-2 ii libc6 2.28-5 ii libgcc1 1:8.2.0-14 ii libice6 2:1.0.9-2 ii libsm6 2:1.2.2-1+b3 ii libstdc++6 8.2.0-14 ii libx11-6 2:1.6.7-1 ii libxaw7 2:1.0.13-1+b2 ii libxmu6 2:1.1.2-2 ii libxt6 1:1.1.5-1 Versions of packages groff recommends: ii ghostscript 9.26~dfsg-0+deb9u2 ii imagemagick 8:6.9.10.23+dfsg-2 ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2 ii libpaper1 1.1.26 ii netpbm 2:10.0-15.3+b2 ii perl 5.28.1-3 ii psutils 1.17.dfsg-4 groff suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: groff Source-Version: 1.22.4-3 We believe that the bug you reported is fixed in the latest version of groff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwat...@debian.org> (supplier of updated groff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 28 Feb 2019 19:44:28 +0000 Source: groff Architecture: source Version: 1.22.4-3 Distribution: unstable Urgency: medium Maintainer: Colin Watson <cjwat...@debian.org> Changed-By: Colin Watson <cjwat...@debian.org> Closes: 920269 Changes: groff (1.22.4-3) unstable; urgency=medium . * Avoid Perl's unsafe "<>" operator (closes: #920269). Checksums-Sha1: 4632d67383a2b5ed33d4c88ad6bd62f77f4ccd56 2328 groff_1.22.4-3.dsc f44f811bbe2cdcdafbf90a2ee62bbd18e5780020 47460 groff_1.22.4-3.debian.tar.xz 59b3e76ae473db6e060650a2937ebed31f92a2ff 9125 groff_1.22.4-3_source.buildinfo Checksums-Sha256: c7bf77d7fa6c19c0305dffab17d1904aba37f274e0d457d063264ed821096ba5 2328 groff_1.22.4-3.dsc a8cfa698773de64cba8e07c927016bfef56af8bfa45476321c99eec75001e25d 47460 groff_1.22.4-3.debian.tar.xz e53eb52f11d49529c7631f836cae055097fba927d7f20fbd5f3b9fce5c3dfcd6 9125 groff_1.22.4-3_source.buildinfo Files: 35908d6c5325435eebd60255ae9cecbf 2328 text important groff_1.22.4-3.dsc 557ded429d5035a58f1a7245f744f4a7 47460 text important groff_1.22.4-3.debian.tar.xz 3f8467291c8125528db462e7d53c5551 9125 text important groff_1.22.4-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlx4OjoACgkQOTWH2X2G UAswZA/9Gaxmr69X0iZgRrtgAREHw0APBcm75buQ1FRifM/zzfB03kdzaSVk/zY2 2626pof/NTjPfzreo6rpyCtQG8DvfBlLx4Fo5Fm/IMulRtPESI7levfaZ+dZdmWz qg1QX0KG2Es3p9DONxfPNbGQZLS3wAqGPUK4l0n34Ky2nyfF7phwKoINouFue3yP zwQLl4McDV5KBZ3LfqguuaNncF3CPU/tUYEo2x45krDKqlLFHN+BRwAnuC88CpWB vPTHD4qUbq1szxoFXypV33/1OxyvuFJWkMugYwF+vh5g6YoAS3JvFuDV/SkiiVGS eo1KsonN+U5O3Fc36vXFUMjhmS8WFmKAisFFkAjkKEOf8xyRhC56j6GmVudDSFzZ PhYGsUO/nUziv5B8dFOtX9BuDtizeZsFSgoJhEZJ+varynxjQ+FnGdMb3StZigiv 4JeywOQMuFd63sQFLY/peFr+MBxb1MWNeb05/pR4Z2ZztOvXraHA9Txxi+0uzeqb g34Lzzu7Wmbnl2KGhrFILrzTVvTY6ugoPuIoPApKfON7M8XCRNEzb6gitYebtrGo fI0A7Fr1+WpytFWZh5jC4Tx9fnpjmeCZO2/zFg+i30L50DIajjEyBfnLiOSuq0Ld vpFmkpvNDSidGPU+6VoRUNCLinEX9pCywUXFS0NiTc8/0GXUzH4= =jGoF -----END PGP SIGNATURE-----
--- End Message ---
