Re: deb vfs security issue (CAN-2004-0494)

[Leonard den Ottolander <leonard den ottolander nl>]

Hi Jakub,

On Wed, 2004-08-18 at 17:22, Jakub Jelinek wrote:
> There are many other scripts which need similar treatment.
> grep -l bin/perl /usr/share/mc/extfs/* | xargs grep open
> shows a lot of (potential) problems, at least in a, apt, debd, mailfs,
> patchfs, rpms and uzip.

a looks vulnerable. This script uses $disk:/$path. Hm. Very dozy. What
files is it used for anyway?

apt uses the result of a find. Probably vulnerable. Also uses the output
of an "apt-cache dumpavail". Maybe somebody could enlighten me on this
command, but I think it could use escaping anyway. And an unchecked
$file. Bad script! Bad!

deba also vulnerable.

debd idem.

dpkg idem.

mailfs idem.

patchfs idem.

rpms uses an unchecked $ARGS[3]. Looks vulnerable.

And last but not least: uzip uses map(quotemeta, <vars>). quotemeta is
even a bit more restrictive than the substitution I use (only leave A-Z,
a-z, 0-9 and _, ie \w alone). So this is the only script *not*
vulnerable.

Maybe somebody could explain the use of these deb. and dpkg files are
for? And maybe somebody with on Debian could check if these are indeed
vulnerable like "deb"? And what does rpms do? As a side note: What about
trpm? Is that still in use?

Patches are in the making. I assume these should be against the source
tree, ie the .in files instead of against the compiled versions as my
previous patch is.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research