[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: upload leptonlib

On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > Hello.
> > 
> > I prepared LTS security update for leptonlib. Please review and upload.
> > You can find debdiff along with the mail.
> > link:
> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > 
> Abhijith,
> I have reviewed and uploaded the package. While you backported the
> upstream fix, I feel like their approach falls under item #2 of "The Six
> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> help but wonder if another vulnerability will be uncovered later that
> uses different characters that are not being checked.

I found one already: it filters out `command` but not $(command).

I'm afraid this library appears to have been written without any regard
for security, or even the existence of multiuser systems.

Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
and I think there are more instances.

Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
can still see:

$ strings /usr/bin/printsplitimage | grep ^/tmp/
$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
$ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/


> In any event, once you receive the ACCEPT notice from the archive
> software you should be able to publish the DLA.

Ben Hutchings
Everything should be made as simple as possible, but not simpler.
                                                      - Albert Einstein

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: