[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Files-Excluded field and security implications of uscan and debian/copyright.

Le Sun, Sep 09, 2012 at 11:04:44PM +0200, Andreas Tille a écrit :
> On Fri, Sep 07, 2012 at 03:15:27PM +0100, Ian Jackson wrote:
> > Charles Plessy writes ("Re: Files-Excluded field and security implications of uscan and debian/copyright."):
> > > Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit :
> > > > in the case of the Files-Excluded field, the contents of the field
> > > > are directly executed.
> > > 
> > > I mean: the contents are transferred to an expression that is
> > > directly executed.
> > 
> > This is a bug in the implementations that do that, surely ?
> ???
> I would love to get a pointer to the actual line[1] which executes
> content from debian/copyright.  TTBOMK, all expressions are part of the
> seeking string of a find statement, nothing more.

Hi Andreas,

the find commands are executed via backsticks, which potentially can execute
any arbitrary command.  I personally have not found a way to exploit this (*),
but given my lack of training in the field, I do not consider this significant,
so I asked for others opinions.  

My main question anyway is whether it would be useful to make a distinction
between fields that have a content that is more likely to be passed to shell
commands, and fields where the content is less likely to be so.

(*) Yes I looked, and maybe the most straightforward way would be to make a
fake file name containing backsticks, in order to execute a helper script in the
debian directory.

Have a nice day,

Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to: