Re: deb vfs security issue (CAN-2004-0494)

[Roland Illig <roland illig gmx de>]

Leonard den Ottolander wrote:
> Hi Jakub,
>
> On Wed, 2004-08-18 at 17:22, Jakub Jelinek wrote:
>
> > There are many other scripts which need similar treatment.
> > grep -l bin/perl /usr/share/mc/extfs/* | xargs grep open
> > shows a lot of (potential) problems, at least in a, apt, debd, mailfs,
> > patchfs, rpms and uzip.
>
>
> a looks vulnerable. This script uses $disk:/$path. Hm. Very dozy. What
> files is it used for anyway?

For files on floppies. The mtools provide the good old DOS commands 
(dir, copy, move) for UNIX as (mdir, mcopy, mmove).

> apt uses the result of a find. Probably vulnerable. Also uses the output
> of an "apt-cache dumpavail". Maybe somebody could enlighten me on this
> command, but I think it could use escaping anyway. And an unchecked
> $file. Bad script! Bad!

apt-cache dumpavail does:
for i in ${all-available-packages}; do
    print_complete_package_info $i
done

The first package info looks like:

Package: 3dchess
Priority: optional
Section: games
Installed-Size: 152
Maintainer: Stephen Stafford <bagpuss debian org>
Architecture: i386
Version: 0.8.1-11
Depends: libc6 (>= 2.3.2.ds1-4), xaw3dg (>= 1.5+E-1), xlibs (>> 4.1.0)
Filename: pool/main/3/3dchess/3dchess_0.8.1-11_i386.deb
Size: 33116
MD5sum: 7248665d99d529342a5cd050a9128ff6
Description: 3D chess for X11
 3 dimensional Chess game for X11R6.  There are three boards, stacked
 vertically; 96 pieces of which most are the traditional chess pieces with
 just a couple of additions; 26 possible directions in which to move.  The
 AI isn't wonderful, but provides a challenging enough game to all but the
 most highly skilled players.



Roland