Debian Bug report logs -
#794260
devscripts: licensecheck: CVE-2015-5704: shell injection vulnerability
Reported by: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 31 Jul 2015 18:45:14 UTC
Severity: grave
Tags: patch, security
Found in versions devscripts/2.15.6, devscripts/2.15.5
Fixed in version devscripts/2.15.7
Done: James McCoy <jamessan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#794260; Package devscripts.
(Fri, 31 Jul 2015 18:45:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <dr@jones.dk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>.
(Fri, 31 Jul 2015 18:45:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: devscripts
Version: 2.15.6
Severity: grave
Tags: security patch
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On line 324 of licensecheck is executed this shell code:
file --brief --mime --dereference $file
That will fail if the input file contains space, and may do horrible
things with input files containing semicolon.
Fix is simple: Add quotes around the variable, so line 324 looks like
this:
my $mime = `file --brief --mime --dereference "$file"`;
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVu8H2AAoJECx8MUbBoAEhFwAP+wYs9y6MjavimltBk7DbMmV9
TrYB/TcAQyv9zHw4OS/qJqHUf8W7fU+WsugCnWEfKpX1zBKVT4cXYTiB9bz43ayB
eZoykVxP5xe7OTVM1m96lDjy4hUC0sK/jQ8+iPP29apWFLGAJKVGYBKn/5qDNd4v
FZpCoUuy4aFIKCCzQ/1cIhPG8K6xekiQRYqczH2tFoyAD9kN5w3ybxtuMob0SgMY
tEpqfRrxVwLJNMjae1aUa/4gwfEo1TUT94bgsAihtBKR+QE645MgBvu1duNoAR2+
9o3c1/FB+ryNFraPNkrU8P0Y81Bv5Bf2XXd/1QxZe2IatBgZZMw36nISyqnsJBeP
6esh9sI8jgnMYz5CNN+jV681vqBfU4l/ZBEpmiYs04uR0Gn/arDt5TrSQAYvPLIY
D/aR4oUqO5Pwf2zXKNHgzSU7Ubh7I4a0k3TQwq6/mTzTBcpwvZXoTwEisA7JVhsP
SOKWc+j4E8ueDFgdL6/65HaNAwi7VYcG72EHlQ5CRGsWN61ejkJcjq/LiNajIELo
IvU40b/X3D/sjf6TbgWdHUl5S5ogzJiRpLfzBfkKAoY76DqcJ21M5Z+MVk98T9yF
OjqMzCFWduQ6NsZwNQq7YLeotx8Y1qaebxEDg1QWuGf9Fh5dQQH7PAnXi26u51ZM
a5cD5Cr9fCoXidVYrJhK
=RNm9
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#794260; Package devscripts.
(Fri, 31 Jul 2015 19:36:08 GMT) (full text, mbox, link).
Message #8 received at 794260@bugs.debian.org (full text, mbox, reply):
* Jonas Smedegaard <dr@jones.dk>, 2015-07-31, 20:44:
>On line 324 of licensecheck is executed this shell code:
>
> file --brief --mime --dereference $file
>
>That will fail if the input file contains space, and may do horrible
>things with input files containing semicolon.
>
>Fix is simple: Add quotes around the variable, so line 324 looks like
>this:
>
> my $mime = `file --brief --mime --dereference "$file"`;
Note that $file is expanded by Perl, not by shell, so this change is not
sufficient:
| $ touch '"; cowsay moo; #.c'
| $ licensecheck *.c
| /usr/bin/licensecheck warning: cannot parse file '"; cowsay moo; #.c' with mime type 'cannot open `' (No such file or directory)
| _____
| < moo >
| -----
| \ ^__^
| \ (oo)\_______
| (__)\ )\/\
| ||----w |
| || ||'
(If the variable were expanded by shell, command injection wouldn't be
even possible. You could still exploit argument injection, but that's
less exciting.)
--
Jakub Wilk
Marked as found in versions devscripts/2.15.5.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Fri, 31 Jul 2015 23:51:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Sat, 01 Aug 2015 00:48:06 GMT) (full text, mbox, link).
Message sent on
to Jonas Smedegaard <dr@jones.dk>:
Bug#794260.
(Sat, 01 Aug 2015 00:48:15 GMT) (full text, mbox, link).
Message #15 received at 794260-submitter@bugs.debian.org (full text, mbox, reply):
tag 794260 pending
thanks
Hello,
Bug #794260 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=c0687bc
---
commit c0687bcde23108dd42e146573c368b6905e6b8e8
Author: James McCoy <jamessan@debian.org>
Date: Fri Jul 31 19:56:36 2015 -0400
licensecheck: Use Dpkg::IPC to run file command
The command being run through `` allowed the shell to interpret the
given file argument, which allows arbitrary command execution. Using
Dpkg::IPC avoids the shell, directly executing file.
Closes: #794260
Signed-off-by: James McCoy <jamessan@debian.org>
diff --git a/debian/changelog b/debian/changelog
index a9cd9cb..6536846 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+devscripts (2.15.7) UNRELEASED; urgency=medium
+
+ * licensecheck:
+ + Use Dpkg::IPC to run file to avoid shell injection. (Closes: #794260)
+
+ -- James McCoy <jamessan@debian.org> Fri, 31 Jul 2015 19:53:04 -0400
+
devscripts (2.15.6) unstable; urgency=medium
[ Paul Wise ]
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Sat, 01 Aug 2015 03:39:05 GMT) (full text, mbox, link).
Notification sent
to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer.
(Sat, 01 Aug 2015 03:39:05 GMT) (full text, mbox, link).
Message #20 received at 794260-close@bugs.debian.org (full text, mbox, reply):
Source: devscripts
Source-Version: 2.15.7
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 794260@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Jul 2015 22:50:33 -0400
Source: devscripts
Binary: devscripts
Architecture: source
Version: 2.15.7
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 794260 794263 794282
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Changes:
devscripts (2.15.7) unstable; urgency=medium
.
* licensecheck:
+ Use Dpkg::IPC to run file to avoid shell injection. (Closes: #794260)
+ Change whitelist of mime types to greylist of encodings. Restores
ability to check files with mime types like text/x-c++ and
application/postscript. Thanks to Jonas Smedegaard for the patch.
(Closes: #794282)
+ Fix an endless loop in parsing certain files. Thanks to Jonas
Smedegaard for the patch. (Closes: #794263)
Checksums-Sha1:
e1368f617e07f74cb0bcd41e6202ede27d42d784 2257 devscripts_2.15.7.dsc
4f01f5b1a9f118aebf66461adf46e0e830731f47 620100 devscripts_2.15.7.tar.xz
Checksums-Sha256:
daee3c021a6f44fe05e7568196c5eb55d34fbb6238f341a7fcf8443caa126ec5 2257 devscripts_2.15.7.dsc
7eadef203bc50612af70fb0047b5225a7f2b5fdaacd45c2df09126fcc1aed027 620100 devscripts_2.15.7.tar.xz
Files:
e5b6f0e0c29dca1b3f37f3713ec7e75a 2257 devel optional devscripts_2.15.7.dsc
1655e2c91e42cd48393c65726bc3faa9 620100 devel optional devscripts_2.15.7.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVvDcKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbXJwQAJiTiBnnINA0iMvImKmRRxMl
8hBGGBI7+dhsoDeDAcS4z1Dg4NzkarF+kg51JbUrgOkRBNevJXheqhM+tM40xjPG
DDfXSOKTcm0MLKJlr79BevQ1wCE/xoWygTWLvChAEL6exDnjauv2vGJhFvvwwkkS
ILyJYNl50bqM56SZc3PXRdV7GDd8Az6qGFHihsSN4i0+7JIV4z4WjKd1IRg79uxs
lNvFCt+FPFhsRdYlzzLlrxDMDeC2sFHkt9cdg+3JdNojC97In2VZ02fTXCI7hA20
fvMKk+3esPhVkdv8pBGAAaKJsCaCV4kd97w9/L12sjC7pMsakiX2QVD83m5UCUKb
ETuqttftEX857+2ZMLk9o26t3HFbv7jTv1Rcs99+XVe3pzJdGYa7XwmQlP1ROZwv
xvsNGbdwoGOf8biGKdcR6jyAl5WixtgKJpD6eluOD/jcazMiI/F38sDrCaM/opYd
uMewMR3MCpuKh+fvcIPxbuj6mAULjyBOmAZyypWk4whqpslZxf+f3/LejDL7tSMo
+cUtYSrYRWmychmCrzC+czr8GtZ4epDgiuprXvSvSS95UsGzYVqLPvtB3rq/+s7i
Wy2jgMYUuz1PcnBiCom8ek8BNIl6LcX7BzDwUZwtWPoXKQp7F5QZwhqYwplYnbFG
k7dyXY+do50+JpJ2rAZB
=4pg9
-----END PGP SIGNATURE-----
Changed Bug title to 'devscripts: licensecheck: CVE-2015-5704: shell injection vulnerability' from 'devscripts: licensecheck chokes on files containing space'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 02 Aug 2015 07:33:13 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 02 Sep 2015 07:32:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:07:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon