Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability

[Sven Kieske <s.kieske () mittwald de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 07/11/14 02:27, Seth Arnold wrote:
> On Thu, Nov 06, 2014 at 08:00:33PM -0500, cve-assign () mitre org
> wrote:
> > > A format string vulnerability vuln has been found in the latest
> > > version of dpkg. 
> > > https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
>
> > Use CVE-2014-8625. We're aware of "does not show evidence of
> > allowing attackers to cross privilege boundaries" in 
> > https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/comments/2
> > -- we'll certainly look for any discussion on this list that
> > disputes the CVE.
>
> The build recipes in Debian packaging are all-powerful; they run 
> arbitrary commands and executables with full privileges of the
> user building the package.
>
> The maintainer scripts in Debian binary packages are all-powerful; 
> they run arbitrary commands and executables with root privileges
> when packages are installed.
>
> There is no need to resort to format string vulnerabilities in
> control files to execute malicious code in an untrusted package. It
> would be easier and more reliable to simply put malicious code
> directly in the debian/rules file or postinst scripts.
>
> It is not safe to build packages from untrusted sources. It is not
> safe to install packages from untrusted sources.
>
> This is why we did not assign a CVE from Ubuntu's CVE pool.

to quote the man page of dpkg:

> --no-act, --dry-run, --simulate Do everything which is supposed to
> be done, but don't write any changes. This is used to see what
> would happen with the specified action, without actually modifying
> anything.

So the users assumes this does not "modify anything"
and if I understood this bug correct this gives at least
access to the stack and allows to write/read memory.

So this is against the defined/intended behaviour, imho
and should thus get a CVE?

- -- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
Oeynhausen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJUXMXQAAoJEC5d3lL7/I9zbN0QAIWfKkzOCT4pbm9rFhUXclXx
edHlyS/bcnd1i5TB9pPgXv13F37bDzz9B59YDoYtVheo0EoSHPx2Bt3Tnaacg4jt
8I508UjSrPX56gsoaye7dgCZr6ivAYvFFkmPKMUfj87xJHDXTYfSj//HFPRt4uZa
PnqBbAYdt/WH4bdpZqLN8aRie2LUwTXFGxYNfVUq2bN4cIdkyoSckQ2OpL7fuU3C
G5PiK0tg4ySKQ6BP+GYkRwsCvkyFrDvqiRChU8seN5S/cEmpfeBmF/8PMDeALoPQ
8bgMm3DsBRt2EQfvacYnFXC4oNLeYCoqGCTDPd0tDA17inHfYRs7XypVp+WmKVZw
8OOfudS00l25FWiRG3EF+EbM5U8ibZ+UPzR+YKSUMC6UTTNjJli74B8d5NULYTxI
zEKZWmcJdezbS56OIkd56m5sVnYfCDKvbUCCy0wPYE+EeKtszHuIXiy0eeDj9Fze
iCL39IdNWzjBjxeBWEUp7QrYbfLlM5Q1/mic6woc7CIekw9blniuypvkaVkZ7Smb
apWjplMIUdwmAJlRA1POW0FzuCScWGbMcdlwm2jmcZGxqP+T5p6IOKw6NLUJfRfP
a3tPsgCBLJ8zu5Bs/suDgCLkMdu5biuwj1P5YrcbxhjkwtSA1prUazIJ/g+4eX5l
7UeZKbfh5uyfP5zOuvCB
=7KnX
-----END PGP SIGNATURE-----