Re: upload leptonlib

To: "Roberto C." Sánchez <roberto@debian.org>, Abhijith PA <abhijith@disroot.org>
Cc: Debian LTS <debian-lts@lists.debian.org>, leptonlib@packages.debian.org
Subject: Re: upload leptonlib
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 15 Feb 2018 21:34:48 +0000
Message-id: <[🔎] 1518730488.2617.129.camel@decadent.org.uk>
In-reply-to: <[🔎] 20180215032335.xqgqbvkpr65ftj7b@camaguey.connexer.com>
References: <[🔎] bc8204ac-f111-d069-5095-29dfb1becd63@disroot.org> <[🔎] 20180215032335.xqgqbvkpr65ftj7b@camaguey.connexer.com>

On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > Hello.
> > 
> > I prepared LTS security update for leptonlib. Please review and upload.
> > You can find debdiff along with the mail.
> > link:
> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > 
> 
> Abhijith,
> 
> I have reviewed and uploaded the package. While you backported the
> upstream fix, I feel like their approach falls under item #2 of "The Six
> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> help but wonder if another vulnerability will be uncovered later that
> uses different characters that are not being checked.

I found one already: it filters out `command` but not $(command).

I'm afraid this library appears to have been written without any regard
for security, or even the existence of multiuser systems.

Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
and I think there are more instances.

Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
can still see:

$ strings /usr/bin/printsplitimage | grep ^/tmp/
/tmp/split
$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
/tmp/junk_split_image.ps
$ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/
/tmp/lept/baseline/diff
/tmp/lept/baseline/diff.png
/tmp/lept/baseline/loc
/tmp/lept/baseline/loc.png
/tmp/lept/baseline/skew
/tmp/lept/baseline/baselines.png
/tmp/threshroot
/tmp/lept/plots/sides.%s
/tmp/lept/plots/sides.%d
/tmp/lept/plots/size.%s
/tmp/lept/plots/size.%d
/tmp/linfit/boxalr.ba
/tmp/linfit/boxatb.ba
/tmp/linfit/ptal.pta
/tmp/linfit/ptar.pta
/tmp/linfit/ptat.pta
/tmp/linfit/ptab.pta
/tmp/smooth/boxae.ba
/tmp/smooth/boxao.ba
/tmp/smooth/boxalfe.ba
/tmp/smooth/boxalfo.ba
/tmp/smooth/boxame.ba
/tmp/smooth/boxamo.ba
/tmp/smooth/boxamede.ba
/tmp/smooth/boxamedo.ba
...

Ben.

> In any event, once you receive the ACCEPT notice from the archive
> software you should be able to publish the DLA.

-- 
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
                                                      - Albert Einstein

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: upload leptonlib
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- upload leptonlib
  - From: Abhijith PA <abhijith@disroot.org>
- Re: upload leptonlib
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Better communication about spectre/meltdown
Next by Date: February Report
Previous by thread: Re: upload leptonlib
Next by thread: Re: upload leptonlib
Index(es):
- Date
- Thread