Hello! El 20/12/24 a las 10:09, Santiago Ruano Rincón escribió: > Thank you Emilio for doing the triaging, and thanks Chris for claiming > the package. > > El 20/12/24 a las 11:12, Emilio Pozuelo Monfort escribió: > > On 20/12/2024 03:53, Santiago Ruano Rincón wrote: > > > Hi Mark, and thanks for the heads-up, > > > > > > CC'ing the LTS mailing list for visibility. BCC'ing debian-devel. > > > > > > El 19/12/24 a las 17:50, Mark Hindley escribió: > > > > Hello, > > > > > > > > I recently completed salvaging of src:ucf[1]. > > > > > > > > As part of code cleanup I discovered a variable inherited from the environment > > > > which is then passed to eval[2]. Unintended code execution is trivial to > > > > demonstrate. To my mind, this is a coding oversight. As the patch in #1089015 > > > > shows, the fix is simple and obvious. > > As a safety measure, I would just like to highlight this: > > > > > But I want to be sure that nobody is using > > > > inheritance of this variable as an undocumented 'feature' before merging the > > > > suggested patch. > > In other words, public discussion helps here to crate awareness among > LTS users, to avoid breaking configs after applying the patch. > > > > > The Security Team have already been consulted and are content for this to be > > > > handled through stable-pu. > > As a first thought, I would say that this should be released in LTS (and > older) after the stable-pu has been published. > > Chris, should we contact users with a more specific message/announcement > to make sure we are in the safest side (and avoid breaking configs)? > > > > > > > > > For completeness, unstable and testing are no longer affected as virtually all > > > > uses of eval have been removed. > > > > > > > > Thanks > > > > > > > > Mark > > > > > > > > [1] https://bugs.debian.org/1086847 > > > > > > > > [2] https://bugs.debian.org/1089015 > > > > > > > > > > There are not point releases for the LTS release, so if this warrants an > > > fix, it should be done via a DLA. Emilio, since you are FD this week, > > > would you mind taking a look at this? > > > > Ack, let's fix this. JFTR, Mike proposed a bullseye pu: https://bugs.debian.org/1091198. Chris, you may want to coordinate with him, so this can be uploaded after the bookworm SUA. (My question about contacting users still remains.) Have a nice end of the year to everyone! -- Santiago
Attachment:
signature.asc
Description: PGP signature