Re: apt-cacher: TEMP-0000000-62D57E
#include <hallo.h>
* Stefan Fritsch [Sat, Aug 06 2011, 01:29:01PM]:
> On Saturday 06 August 2011, Henri Salo wrote:
> > Does someone have more information about this issue than:
> >
> > Committed by stef-guest at 2008-01-22 23:47:35 +0200 (Tue, 22 Jan
> > 2008): """
> > CVE-2008-XXXX [apt-cacher arbitrary command execution]
> > - apt-cacher 1.6.1
> > [etch] - apt-cacher <not-affected> (vulnerable code
> > introduced in 1.6.0) [sarge] - apt-cacher <not-affected>
> > (vulnerable code introduced in 1.6.0) """
>
> The changelog has it:
>
> * Security fix -- only use red to apply pdiffs (hence urgency)
Please ask the current maintainer, like: apt-cacher@packages.debian.org
> If pdiffs are applied using ed, 'e' and '!' commands in the pdiffs
> allow to execute arbitrary shell commands on the local host.
True, true. But what's the problem? AFAICS the package was fixed before
reaching Testing.
> > What is the correct change in version control? How about
> > changelog-entry? There seems to be old similar issue:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1854
> >
> > """
> > [03 Aug 2005] DSA-772-1 apt-cacher - missing input sanitising
> > {CVE-2005-1854}
^^^^^^^^^^^^^^^
Stone age. Totally unrelated to the one above.
> I don't know anything about that. But IMHO pdiffs are newer, so it
> can't be the same. Maybe it's this change:
>
> apt-cacher (0.9.10) unstable; urgency=high
>
> * SECURITY: replaces execution of curl in a shell environment (with
> possibly
> tainted command line parts) with a safe pipe construct
Yep. And afterwards, I rewrote this whole helper command using junk.
Regards,
Eduard.
--
Every great idea is worthless without someone to do the work. --Neil Williams
Reply to: