[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: upload leptonlib



On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > Hello.
> > 
> > I prepared LTS security update for leptonlib. Please review and upload.
> > You can find debdiff along with the mail.
> > link:
> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > 
> 
> Abhijith,
> 
> I have reviewed and uploaded the package. While you backported the
> upstream fix, I feel like their approach falls under item #2 of "The Six
> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> help but wonder if another vulnerability will be uncovered later that
> uses different characters that are not being checked.

I found one already: it filters out `command` but not $(command).

I'm afraid this library appears to have been written without any regard
for security, or even the existence of multiuser systems.

Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
and I think there are more instances.

Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
can still see:

$ strings /usr/bin/printsplitimage | grep ^/tmp/
/tmp/split
$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
/tmp/junk_split_image.ps
$ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/
/tmp/lept/baseline/diff
/tmp/lept/baseline/diff.png
/tmp/lept/baseline/loc
/tmp/lept/baseline/loc.png
/tmp/lept/baseline/skew
/tmp/lept/baseline/baselines.png
/tmp/threshroot
/tmp/lept/plots/sides.%s
/tmp/lept/plots/sides.%d
/tmp/lept/plots/size.%s
/tmp/lept/plots/size.%d
/tmp/linfit/boxalr.ba
/tmp/linfit/boxatb.ba
/tmp/linfit/ptal.pta
/tmp/linfit/ptar.pta
/tmp/linfit/ptat.pta
/tmp/linfit/ptab.pta
/tmp/smooth/boxae.ba
/tmp/smooth/boxao.ba
/tmp/smooth/boxalfe.ba
/tmp/smooth/boxalfo.ba
/tmp/smooth/boxame.ba
/tmp/smooth/boxamo.ba
/tmp/smooth/boxamede.ba
/tmp/smooth/boxamedo.ba
...

Ben.

> In any event, once you receive the ACCEPT notice from the archive
> software you should be able to publish the DLA.

-- 
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
                                                      - Albert Einstein

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: