Hi all, I discussed the safety of `dash -n` and `bash -n` with Jakub Wilk. These are used by lintian to check for bashisms. We concluded that it was possibly unsafe to use the -n option with arbitrary scripts. TBH I expect that other tools (such as binutils, see the thread below) run by lintian are similarly unsafe and I wonder if the ftp-master profile should be hardened such that it does not run any commands external to lintian and its Perl library dependencies. The alternative might be for ftp-master to run lintian on a VM or an external machine. <pabs> I have a vague recollection that you mentioned that `sh -n` is unsafe in some situations. today I learned that lintian uses that to check for bashisms <_jwilk> I have this vague recollection too. I don't remember the details ATM. <_jwilk> I've found this in my IRC logs: https://lists.debian.org/87lfqriagj.fsf@mid.deneb.enyo.de <_jwilk> I fuzzed "bash -n" and "dash -n" in the past and found memory safety bug in both. <_jwilk> #878697 could probably be exploited for code execution. <_jwilk> There's also #858288, but I don't think anyone combines -n with -c. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part