Dear security and LTS teams, I'm co-maintainer of dietlibc. Thorsten Glaser has found a security issue that the default PATH (when the environment variable is NOT set) contains the current working directory. He has publicly reported this upstream under:
http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de I've already uploaded a fixed version of the package to sid. The fixed version in sid is 0.34~cvs20160606-2. This bug also affects the diet binary (wrapper to call gcc) provided in the dietlibc package, as that uses execvp internally. I've also prepared updates for the package for Jessie and Wheezy, debdiffs against the current versions in Jessie and Wheezy are attached to this email. I've also pushed them to the wheezy and jessie branches in the git repository: git clone https://anonscm.debian.org/git/collab-maint/dietlibc.git -b jessie git clone https://anonscm.debian.org/git/collab-maint/dietlibc.git -b wheezy Please note that if you use gbp to build the packages, please add --git-debian-branch=jessie (or wheezy) --git-pristine-tar to the gbp buildpackage command, as only in sid does debian/gbp.conf have the proper options. (Also, the package in sid supports arch=all autobuilders and source only uploads, the packages in Wheezy and Jessie probably do not.) I have verified that the new packages build in a clean pbuilder environment in Jessie and Wheezy. Since dietlibc is a static library, some reverse dependencies need to be recompiled. I've gone through all reverse dependencies of dietlibc in Debian, and only three use either dietlibc's _PATH_DEFPATH define or execvp()/execlp() from dietlibc (e2fsprogs in Wheezy and Jessie does use execvp and execlp, but not from fsck.ext2, which is the only binary compiled against dietlibc used there; e2fsprogs in sid isn't compiled against dietlibc anymore): - minit (wheezy, jessie) - util-vserver (jessie, sid) - mksh (wheezy, jessie, sid, experimental) (The other rdeps do not contain any reference to _PATH_DEFPATH or execvp/execlp.) I have verified that these rdeps compile against the fixed version of dietlibc in a clean pbuilder environment. I do not know whether the flaw can be exploited in util-vserver and minit, whereas for mksh Thorsten Glaser provided a PoC. Also note that users of this library, who compile their code manually against the dietlibc package from Debian, might need to recompile their own code after this update, if it uses _PATH_DEFPATH, execvp or execlp from dietlibc, so this should be mentioned in the advisory. Please advise me on how to get updates made available for Jessie and Stretch. For the binNMUs in sid and experimental, I will have to contact the release team, I assume? Thank you! Regards, Christian PS: Note: I'm a DM and have upload permissions for dietlibc in sid, in case that's relevant.
diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog --- dietlibc-0.33~cvs20120325/debian/changelog 2012-09-30 16:18:30.000000000 +0200 +++ dietlibc-0.33~cvs20120325/debian/changelog 2016-07-20 08:39:46.000000000 +0200 @@ -1,3 +1,10 @@ +dietlibc (0.33~cvs20120325-4+deb7u1) wheezy-security; urgency=high + + * Security: fix insecure default PATH. + Thanks to Thorsten Glaser <t.gla...@tarent.de> for discovering this + + -- Christian Seiler <christ...@iwakd.de> Wed, 20 Jul 2016 08:38:13 +0200 + dietlibc (0.33~cvs20120325-4) unstable; urgency=low [ Peter Michael Green ] diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff --- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 1970-01-01 01:00:00.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 2016-07-20 08:39:46.000000000 +0200 @@ -0,0 +1,19 @@ +Description: Fix insecure default PATH + Throsten Glaser <t.gla...@tarent.de> discovered that the default PATH + (absent the environment variable) contains the local directory. +Author: Christian Seiler <christ...@iwakd.de> +Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de +Last-Update: 2016-07-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/include/paths.h ++++ b/include/paths.h +@@ -2,7 +2,7 @@ + #define _PATHS_H + + #define _PATH_BSHELL "/bin/sh" +-#define _PATH_DEFPATH "/bin:/usr/bin:" ++#define _PATH_DEFPATH "/bin:/usr/bin" + + #define _PATH_DEVNULL "/dev/null" + diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series --- dietlibc-0.33~cvs20120325/debian/patches/series 2012-09-30 16:18:30.000000000 +0200 +++ dietlibc-0.33~cvs20120325/debian/patches/series 2016-07-20 08:39:46.000000000 +0200 @@ -27,3 +27,4 @@ 0034-make-select-testcase-useful.diff 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff 0036-fix-jmp_buf-size-on-armhf.diff +0100-security-insecure-default-PATH.diff
diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog --- dietlibc-0.33~cvs20120325/debian/changelog 2014-02-11 21:48:24.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/changelog 2016-07-20 08:42:03.000000000 +0200 @@ -1,3 +1,10 @@ +dietlibc (0.33~cvs20120325-6+deb8u1) jessie-security; urgency=high + + * Security: fix insecure default PATH. + Thanks to Thorsten Glaser <t.gla...@tarent.de> for discovering this + + -- Christian Seiler <christ...@iwakd.de> Wed, 20 Jul 2016 08:41:30 +0200 + dietlibc (0.33~cvs20120325-6) unstable; urgency=low * Team upload. diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff --- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 1970-01-01 01:00:00.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff 2016-07-20 08:42:03.000000000 +0200 @@ -0,0 +1,19 @@ +Description: Fix insecure default PATH + Throsten Glaser <t.gla...@tarent.de> discovered that the default PATH + (absent the environment variable) contains the local directory. +Author: Christian Seiler <christ...@iwakd.de> +Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de +Last-Update: 2016-07-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/include/paths.h ++++ b/include/paths.h +@@ -2,7 +2,7 @@ + #define _PATHS_H + + #define _PATH_BSHELL "/bin/sh" +-#define _PATH_DEFPATH "/bin:/usr/bin:" ++#define _PATH_DEFPATH "/bin:/usr/bin" + + #define _PATH_DEVNULL "/dev/null" + diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series --- dietlibc-0.33~cvs20120325/debian/patches/series 2014-02-11 21:41:35.000000000 +0100 +++ dietlibc-0.33~cvs20120325/debian/patches/series 2016-07-20 08:42:03.000000000 +0200 @@ -28,3 +28,4 @@ 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff 0036-fix-jmp_buf-size-on-armhf.diff 0037-support-powerpcspe.diff +0100-security-insecure-default-PATH.diff
