On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > Hello. > > > > > > > > I prepared LTS security update for leptonlib. Please review and upload. > > > > You can find debdiff along with the mail. > > > > link: > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > Abhijith, > > > > > > I have reviewed and uploaded the package. While you backported the > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > help but wonder if another vulnerability will be uncovered later that > > > uses different characters that are not being checked. > > > > I found one already: it filters out `command` but not $(command). > > > > I'm afraid this library appears to have been written without any regard > > for security, or even the existence of multiuser systems. > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > and I think there are more instances. > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > can still see: > > [...] > > I've re-added the package to dla-needed.txt for #889759 / > CVE-2018-3836. Should a new CVE be issued for #885704? I think additional CVEs are needed for: 1. #890548 2. Incomplete fix for #889759 / CVE-2018-3836 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so there is a possibility of path traversal and arbitrary file overwrite 4. #885704 5. The remaining hardcoded paths in /tmp Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them.
Attachment:
signature.asc
Description: This is a digitally signed message part