On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > Hello. > > > > I prepared LTS security update for leptonlib. Please review and upload. > > You can find debdiff along with the mail. > > link: > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > Abhijith, > > I have reviewed and uploaded the package. While you backported the > upstream fix, I feel like their approach falls under item #2 of "The Six > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > help but wonder if another vulnerability will be uncovered later that > uses different characters that are not being checked. I found one already: it filters out `command` but not $(command). I'm afraid this library appears to have been written without any regard for security, or even the existence of multiuser systems. Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, and I think there are more instances. Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I can still see: $ strings /usr/bin/printsplitimage | grep ^/tmp/ /tmp/split $ strings /usr/bin/splitimage2pdf | grep ^/tmp/ /tmp/junk_split_image.ps $ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/ /tmp/lept/baseline/diff /tmp/lept/baseline/diff.png /tmp/lept/baseline/loc /tmp/lept/baseline/loc.png /tmp/lept/baseline/skew /tmp/lept/baseline/baselines.png /tmp/threshroot /tmp/lept/plots/sides.%s /tmp/lept/plots/sides.%d /tmp/lept/plots/size.%s /tmp/lept/plots/size.%d /tmp/linfit/boxalr.ba /tmp/linfit/boxatb.ba /tmp/linfit/ptal.pta /tmp/linfit/ptar.pta /tmp/linfit/ptat.pta /tmp/linfit/ptab.pta /tmp/smooth/boxae.ba /tmp/smooth/boxao.ba /tmp/smooth/boxalfe.ba /tmp/smooth/boxalfo.ba /tmp/smooth/boxame.ba /tmp/smooth/boxamo.ba /tmp/smooth/boxamede.ba /tmp/smooth/boxamedo.ba ... Ben. > In any event, once you receive the ACCEPT notice from the archive > software you should be able to publish the DLA. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein
Attachment:
signature.asc
Description: This is a digitally signed message part