Re: Bug#79620: dpkg-source must handle file permissions
>>>>> "Wichert" == Wichert Akkerman <wichert@valinux.com> writes:
Wichert> Previously J.A. Bezemer wrote:
>> Investigate makepatch/applypatch from
>> ftp://download.xs4all.nl/pub/mirror/CPAN/authors/Johan_Vromans/
>> You can at least apply such a patch with the "standard tools"
>> sh and patch, and making them with only sh and diff should be
>> possible too.
Wichert> Unpacking should *never* rely on executing sh code that
Wichert> is part of the source package, that makes unpacking a
Wichert> possible security risk.
Unpacking is already a huge security risk. As a simplistic example,
unpacking the following package could have serious consequences
especially if done by root:
[682] [snoopy:bam] ~/dangerous >tar -tzvf dangerous_0.0.tar.gz
drwxr-xr-x bam/users 0 2000-12-15 17:06:21 dangerous-0.0/
lrwxrwxrwx bam/users 0 2000-12-15 17:06:21 dangerous-0.0/etc -> /etc
-rw-r--r-- bam/users 465 2000-12-15 17:06:21 dangerous-0.0/etc/nsswitch.conf
-rw-r--r-- bam/users 2568 2000-12-15 17:06:21 dangerous-0.0/etc/passwd
-rw-r--r-- bam/users 25 2000-12-15 17:06:21 dangerous-0.0/etc/shadow
(yes - this is easy to tell just by looking at the listing, but as the
number of files increases, manually checking will become harder).
As an example of unpacking as non-root (to prove that it really is
dangerous):
[680] [snoopy:bam] ~/dangerous >ls -l dangerous-0.0
ls: dangerous-0.0: No such file or directory
[681] [snoopy:bam] ~/dangerous >dpkg-source -x dangerous_0.0.dsc
dpkg-source: extracting dangerous in dangerous-0.0
dpkg-source: failure: tar -xkf - gave error exit status 2
[682] [snoopy:bam] ~/dangerous >tar: dangerous-0.0/etc/nsswitch.conf: Cannot open: File exists
tar: dangerous-0.0/etc/passwd: Cannot open: File exists
tar: dangerous-0.0/etc/shadow: Cannot open: File exists
tar: Error exit delayed from previous errors
>From this errors it may not be obvious that tar is attempting to
replace /etc/nsswitch.conf, /etc/passwd, /etc/shadow, from files given
in the archive (because of the symlink).
I tried to find options for tar to make this safe (ie. but not
extracting symlinks), but couldn't find any.
--
Brian May <bam@debian.org>
Reply to: