Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jcr...@coccia.debian.org>
and subject line Close 1091196
has caused the Debian Bug report #1091196,
regarding bookworm-pu: package ucf/3.0043+nmu1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1091196: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm security
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: u...@packages.debian.org
Control: affects -1 + src:ucf
Hello,
Please consider accepting src:ucf version 3.0043+nmu1+deb12u1 into
bookworm. This would fix #1089015.
[ Reason ]
I have recently completed salvaging of src:ucf[1]. As part of code review I
discovered a variable inherited from the environment without initialisation
which is subsequently passed to eval[2]. Command injection is trivial to
demonstrate.
The Security team have been consulted and are content to handle this through
-pu.
To me, the issue appears to be a coding oversight. It is present in all current
stable releases.
[ Impact ]
The security issue will remain.
[ Tests ]
Manual testing has not exposed any regressions.
[ Risks ]
The fix is obvious and straightforward. There is a theoretical risk that users
might be using this inheritance as an undocumented 'feature'. However, nobody
has indicated awareness of this[3] so far.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable (but see below)
[ Changes ]
Initialise 'saved' variable before use to prevent inheritance from the
environment.
[ Other info ]
The fix in unstable/testing is different: the code has been rewritten so as to
remove virtually all uses of eval and remove the need to save/restore $@.
[1] https://bugs.debian.org/1086847
[2] https://bugs.debian.org/1089015
[3] https://lists.debian.org/debian-devel/2024/12/msg00424.html
Thanks
Mark
dpkg-source: warning: extracting unsigned source package
(/home/mark/src/debian/build/ucf_3.0043+nmu1.dsc)
diff -Nru ucf-3.0043+nmu1/debian/changelog
ucf-3.0043+nmu1+deb12u1/debian/changelog
--- ucf-3.0043+nmu1/debian/changelog 2023-01-27 13:29:51.000000000 +0000
+++ ucf-3.0043+nmu1+deb12u1/debian/changelog 2024-12-20 07:39:40.000000000
+0000
@@ -1,3 +1,9 @@
+ucf (3.0043+nmu1+deb12u1) bookworm; urgency=medium
+
+ * Initialise variable subsequently passed to eval. (Closes: #1089015)
+
+ -- Mark Hindley <lee...@debian.org> Fri, 20 Dec 2024 07:39:40 +0000
+
ucf (3.0043+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru ucf-3.0043+nmu1/ucf ucf-3.0043+nmu1+deb12u1/ucf
--- ucf-3.0043+nmu1/ucf 2023-01-27 13:29:51.000000000 +0000
+++ ucf-3.0043+nmu1+deb12u1/ucf 2024-12-20 07:39:40.000000000 +0000
@@ -342,6 +342,7 @@
OLD_SUFFIX="ucf-old"
ERR_SUFFIX="merge-error"
# save up the cmdline with proper quoting/escaping
+saved=
for arg in "$@"; do
saved="${saved:+$saved }'$(quote_single "$arg")'"
done
--- End Message ---
--- Begin Message ---
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.
--- End Message ---
