Package: debian-goodies
Version: 0.79
Tags: security patch

which-pkg-broke can inadvertently execute binaries from the current working directory. Proof of concept:

   $ printf '#!/bin/sh\napt-get moo>/dev/tty' > apt-cache
   $ chmod u+x apt-cache
   $ command -v apt-cache
   /usr/bin/apt-cache
   $ which-pkg-broke debian-goodies
                    (__)
                    (oo)
              /------\/
             / |    ||
            *  /\---/\
               ~~   ~~
   ..."Have you mooed today?"...
   debian-goodies                                         Fri Nov 24 22:39:04 
2017


This happens because:
1) w-p-b removes all environment variables when spawning subprocesses.
2) When PATH is missing, Python falls back to ":/bin:/usr/bin", which has cwd in the front: https://bugs.python.org/issue26414
(This is unfortunate, but consistent with what glibc historically did.)

Patch attached.


-- System Information:
Architecture: i386

Versions of packages debian-goodies recommends:
ii  apt                        1.6~alpha5
ii  curl                       7.57.0-1
ii  dctrl-tools                2.24-2+b1
ii  elfutils                   0.170-0.1
ii  libipc-system-simple-perl  1.25-3
ii  man-db                     2.7.6.1-4
ii  perl                       5.26.1-3
un  popularity-contest         <none>
ii  procps                     2:3.3.12-3
ii  python3                    3.6.3-2
ii  sensible-utils             0.0.11
ii  whiptail                   0.52.20-1+b1
ii  dialog                     1.3-20160828-2
un  zenity                     <none>

--
Jakub Wilk
diff --git a/which-pkg-broke b/which-pkg-broke
index 4f53139..c0bd621 100755
--- a/which-pkg-broke
+++ b/which-pkg-broke
@@ -9,12 +9,15 @@ import time
 from string import *
 from stat import *
 
+def force_posix_locale():
+    os.environ['LC_ALL'] = 'C'
+
 def pkgdeps(pkg):
     apt_cache = subprocess.Popen(
         ['apt-cache', 'depends', pkg],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         universal_newlines=True,
-        env={} # force POSIX locale
+        preexec_fn=force_posix_locale,
     )
     deps = []
     for myline in apt_cache.stdout:
@@ -49,7 +52,7 @@ def localarchitectures():
         ['dpkg', '--print-architecture'],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         universal_newlines=True,
-        env={} # force POSIX locale
+        preexec_fn=force_posix_locale,
     )
     for arch in dpkg_arch.stdout.readlines():
         architectures.append(arch.rstrip())
@@ -59,7 +62,7 @@ def localarchitectures():
             ['dpkg', '--print-foreign-architecture'],
             stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
             universal_newlines=True,
-            env={} # force POSIX locale
+            preexec_fn=force_posix_locale,
             )
         for arch in dpkg_archs.stdout.readlines():
             architectures.append(arch.rstrip())

Reply via email to