Re: Files-Excluded field and security implications of uscan and debian/copyright.
Le Sun, Sep 09, 2012 at 11:04:44PM +0200, Andreas Tille a écrit :
> On Fri, Sep 07, 2012 at 03:15:27PM +0100, Ian Jackson wrote:
> > Charles Plessy writes ("Re: Files-Excluded field and security implications of uscan and debian/copyright."):
> > > Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit :
> > > > in the case of the Files-Excluded field, the contents of the field
> > > > are directly executed.
> > >
> > > I mean: the contents are transferred to an expression that is
> > > directly executed.
> >
> > This is a bug in the implementations that do that, surely ?
>
> ???
>
> I would love to get a pointer to the actual line[1] which executes
> content from debian/copyright. TTBOMK, all expressions are part of the
> seeking string of a find statement, nothing more.
Hi Andreas,
the find commands are executed via backsticks, which potentially can execute
any arbitrary command. I personally have not found a way to exploit this (*),
but given my lack of training in the field, I do not consider this significant,
so I asked for others opinions.
My main question anyway is whether it would be useful to make a distinction
between fields that have a content that is more likely to be passed to shell
commands, and fields where the content is less likely to be so.
(*) Yes I looked, and maybe the most straightforward way would be to make a
fake file name containing backsticks, in order to execute a helper script in the
debian directory.
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: