oss-sec mailing list archives
CVE or not: 2x grml-debootstrap
From: Sebastian Pipping <sebastian () pipping org>
Date: Wed, 21 Jan 2015 22:06:48 +0100
Hi! TLDR: * One or two CVE candidates * Review of proposed fixes wanted * Ideas on realistic attack scenarios welcome grml-debootstrap [1] is a wrapper around debootstrap written in Bash. I recently ran into two bugs in grml-debootstrap, documented in detail at the following GitHub issues. 1) For the first Issues with sourcing cmdlineopts.clp from current working directory https://github.com/grml/grml-debootstrap/issues/59 I am rather clear about exploitability. Please review the proposed approach for a fix. 2) For the second Lack of user input escaping / use of $!`"\ in passwords https://github.com/grml/grml-debootstrap/issues/58 I still wonder about realistic exploitation scenarios. Since the tool is usually executed by root or using sudo, input from a non-root user would need to make its way into the command line, unfiltered or filtered insufficiently. It could either be a service like live-build http://cgi.build.live-systems.org/cgi-bin/live-build (they don't call grml-debootstrap, if the code is [2]) or a sudoers config like user23 ALL=(ALL) NOPASSWD: /usr/sbin/grml-debootstrap \ --password * ..... though I am note sure how much of a likely setup that is. Other ideas on scenarios? Also, please review my proposal on escaping. Thanks and best, Sebastian [1] https://github.com/grml/grml-debootstrap [2] https://packages.debian.org/de/wheezy/live-build
Current thread:
- CVE or not: 2x grml-debootstrap Sebastian Pipping (Jan 21)
- Re: CVE or not: 2x grml-debootstrap cve-assign (Jan 27)