Fixing src:ucf environmnent variable insecurity in [old]stable

To: debian-devel@lists.debian.org
Subject: Fixing src:ucf environmnent variable insecurity in [old]stable
From: Mark Hindley <leepen@debian.org>
Date: Thu, 19 Dec 2024 17:50:27 +0000
Message-id: <[🔎] Z2Rc47ZQqOo4IxiP@hindley.org.uk>

Hello,

I recently completed salvaging of src:ucf[1].

As part of code cleanup I discovered a variable inherited from the environment
which is then passed to eval[2]. Unintended code execution is trivial to
demonstrate. To my mind, this is a coding oversight.  As the patch in #1089015
shows, the fix is simple and obvious. But I want to be sure that nobody is using
inheritance of this variable as an undocumented 'feature' before merging the
suggested patch.

The Security Team have already been consulted and are content for this to be
handled through stable-pu.

For completeness, unstable and testing are no longer affected as virtually all
uses of eval have been removed.

Thanks

Mark

[1]  https://bugs.debian.org/1086847

[2]  https://bugs.debian.org/1089015

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Fixing src:ucf environmnent variable insecurity in [old]stable
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Re: Directory structure suggestion for configuration in /etc
Next by Date: Bug#1090811: debian-installer: install linux-sysctl-defaults by default
Previous by thread: Processed: Re: Bug#1090811: debian-installer: install linux-sysctl-defaults by default
Next by thread: Re: Fixing src:ucf environmnent variable insecurity in [old]stable
Index(es):
- Date
- Thread