Hi Mark, and thanks for the heads-up,
CC'ing the LTS mailing list for visibility. BCC'ing debian-devel.
El 19/12/24 a las 17:50, Mark Hindley escribió:
Hello,
I recently completed salvaging of src:ucf[1].
As part of code cleanup I discovered a variable inherited from the environment
which is then passed to eval[2]. Unintended code execution is trivial to
demonstrate. To my mind, this is a coding oversight. As the patch in #1089015
shows, the fix is simple and obvious. But I want to be sure that nobody is using
inheritance of this variable as an undocumented 'feature' before merging the
suggested patch.
The Security Team have already been consulted and are content for this to be
handled through stable-pu.
For completeness, unstable and testing are no longer affected as virtually all
uses of eval have been removed.
Thanks
Mark
[1] https://bugs.debian.org/1086847
[2] https://bugs.debian.org/1089015
There are not point releases for the LTS release, so if this warrants an
fix, it should be done via a DLA. Emilio, since you are FD this week,
would you mind taking a look at this?