Bug#774227: busybox-static: execs applets when chrooting

[Alexander Kurtz]

Control: found -1 1:1.22.0-19+b3
Control: severity -1 serious

Dear maintainers,

I just ran into this bug as well and just like for Bernhard, it had me
pulling my hair for a couple of hours before I realized what was wrong:

        root@shepard:~# apt install busybox-static
        Reading package lists... Done
        Building dependency tree       
        Reading state information... Done
        The following packages will be REMOVED:
          busybox*
        The following NEW packages will be installed:
          busybox-static
        0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
        Need to get 855 kB of archives.
        After this operation, 1,186 kB of additional disk space will be used.
        Do you want to continue? [Y/n] y
        Get:1 http://cdn-fastly.deb.debian.org/debian buster/main amd64 
busybox-static amd64 1:1.22.0-19+b3 [855 kB]
        Fetched 855 kB in 1s (571 kB/s)        
        (Reading database ... 332551 files and directories currently installed.)
        Removing busybox (1:1.22.0-19+b3) ...
        Selecting previously unselected package busybox-static.
        (Reading database ... 332542 files and directories currently installed.)
        Preparing to unpack .../busybox-static_1%3a1.22.0-19+b3_amd64.deb ...
        Unpacking busybox-static (1:1.22.0-19+b3) ...
        Processing triggers for man-db (2.7.6.1-2) ...
        Setting up busybox-static (1:1.22.0-19+b3) ...
        root@shepard:~# /bin/busybox chroot / id --version
        id: unrecognized option '--version'
        BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) multi-call binary.

        Usage: id [OPTIONS] [USER]

        Print information about USER or the current user

                -u      User ID
                -g      Group ID
                -G      Supplementary group IDs
                -n      Print names instead of numbers
                -r      Print real ID instead of effective ID

        root@shepard:~# /bin/busybox chroot / /usr/bin/id --version
        id (GNU coreutils) 8.26
        Copyright (C) 2016 Free Software Foundation, Inc.
        License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>.
        This is free software: you are free to change and redistribute it.
        There is NO WARRANTY, to the extent permitted by law.

        Written by Arnold Robbins and David MacKenzie.
        root@shepard:~# 

As you can see, chroot will run the applet rather than the binary
unless the full path is given. While this *may* be useful in some
situations, it can also lead to *really* subtle failures in others, so
I'm raising the severity of this bug. Please consider applying
Bernhard's patch if possible or at least documenting this behaviour!

Best regards

Alexander Kurtz

signature.asc
Description: This is a digitally signed message part