Thank you Emilio for doing the triaging, and thanks Chris for claiming the package.
El 20/12/24 a las 11:12, Emilio Pozuelo Monfort escribió: > On 20/12/2024 03:53, Santiago Ruano Rincón wrote: > > Hi Mark, and thanks for the heads-up, > > > > CC'ing the LTS mailing list for visibility. BCC'ing debian-devel. > > > > El 19/12/24 a las 17:50, Mark Hindley escribió: > > > Hello, > > > > > > I recently completed salvaging of src:ucf[1]. > > > > > > As part of code cleanup I discovered a variable inherited from the > > > environment > > > which is then passed to eval[2]. Unintended code execution is trivial to > > > demonstrate. To my mind, this is a coding oversight. As the patch in > > > #1089015 > > > shows, the fix is simple and obvious. As a safety measure, I would just like to highlight this: > > > But I want to be sure that nobody is using > > > inheritance of this variable as an undocumented 'feature' before merging > > > the > > > suggested patch. In other words, public discussion helps here to crate awareness among LTS users, to avoid breaking configs after applying the patch. > > > The Security Team have already been consulted and are content for this to > > > be > > > handled through stable-pu. As a first thought, I would say that this should be released in LTS (and older) after the stable-pu has been published. Chris, should we contact users with a more specific message/announcement to make sure we are in the safest side (and avoid breaking configs)? > > > > > > For completeness, unstable and testing are no longer affected as > > > virtually all > > > uses of eval have been removed. > > > > > > Thanks > > > > > > Mark > > > > > > [1] https://bugs.debian.org/1086847 > > > > > > [2] https://bugs.debian.org/1089015 > > > > > > > There are not point releases for the LTS release, so if this warrants an > > fix, it should be done via a DLA. Emilio, since you are FD this week, > > would you mind taking a look at this? > > Ack, let's fix this. Cheers, -- Santiago
signature.asc
Description: PGP signature
