Re: uscan enhancement take 3: script hook

To: debian-devel@lists.debian.org
Subject: Re: uscan enhancement take 3: script hook
From: Jakub Wilk <jwilk@debian.org>
Date: Wed, 29 Aug 2012 10:57:34 +0200
Message-id: <[🔎] 20120829085734.GA4339@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 503DD00F.4040509@debian.org>
References: <[🔎] 20120829065509.GB22344@an3as.eu> <[🔎] 503DD00F.4040509@debian.org>

* Simon McVittie <smcv@debian.org>, 2012-08-29, 09:17:

IMHO this could be done quite simple if we would enable uscan to calla script say debian/uscan.hook (feel free to propose a better name).
This is a security flaw if you want uscan to be safe to use onuntrusted source (e.g. in DEHS). It seems that uscan tries to make itsuse of regexes, at least, not imply arbitrary code execution.

It might be a security flaw, but not a new one. :) uscan alreadyexecutes arbitrary code, unless it was called with --report:

"Finally, if a third parameter (an action) is given in the watch fileline, this is taken as the name of a command, and the command

  command --upstream-version version filename

is executed, using either the original file or the symlink name. Acommon such command would be uupdate(1)."


--
Jakub Wilk

Reply to:

References:
- uscan enhancement take 3: script hook
  - From: Andreas Tille <andreas@an3as.eu>
- Re: uscan enhancement take 3: script hook
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: uscan enhancement take 3: script hook
Next by Date: Re: [php-maint] Bug#670945: Bug#670945: Bug#670945: About the media types text/x-php and text/x-php-source
Previous by thread: Re: uscan enhancement take 3: script hook
Next by thread: Re: uscan enhancement take 3: script hook
Index(es):
- Date
- Thread