Bug#568715: marked as done (RM: syscp/1.4.2.1-2)
Your message dated Sun, 07 Feb 2010 15:27:01 +0000
with message-id <1265556421.15387.8532.camel@kaa.jungle.aubergine.my-net-space.net>
and subject line Re: Bug#568715: RM: syscp/1.4.2.1-2
has caused the Debian Bug report #568715,
regarding RM: syscp/1.4.2.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
568715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568715
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: syscp: incorrect usage of escapeshellcmd
- From: Raphael Geissert <geissert@debian.org>
- Date: Thu, 19 Nov 2009 13:30:11 -0600
- Message-id: <200911191330.12099.geissert@debian.org>
Package: syscp
Severity: important
Version: 1.4.2.1-1
Tags: security
Hi,
I just found the following incorrect usage of escapeshellcmd, when
escapeshellarg is needed:
/usr/share/syscp/lib/class_apsinstaller.php:
$Return = safe_exec('php ' . escapeshellcmd($this->RealPath .
$this->DomainPath . '/install_scripts/configure install'), $ReturnStatus);
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec('openssl genrsa -out ' . escapeshellcmd($privkey_filename) . '
1024');
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename));
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec('openssl rsa -in ' .
escapeshellcmd($privkey_filename) . ' -pubout -outform pem -out ' .
escapeshellcmd($pubkey_filename));
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename));
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename));
/usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename));
Using 'important' as severity and tagging as 'security' until it is verified
that the input of escapeshellcmd() comes from a trusted source and not from
the user.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
- To: Jan Hauke Rahm <jhr@debian.org>, 568715-done@bugs.debian.org
- Subject: Re: Bug#568715: RM: syscp/1.4.2.1-2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sun, 07 Feb 2010 15:27:01 +0000
- Message-id: <1265556421.15387.8532.camel@kaa.jungle.aubergine.my-net-space.net>
- In-reply-to: <20100207085625.GB2412@ca.home.jhr-online.de>
- References: <200911191330.12099.geissert@debian.org> <20100207085625.GB2412@ca.home.jhr-online.de>
On Sun, 2010-02-07 at 09:56 +0100, Jan Hauke Rahm wrote:
> reassign 568715 release.debian.org
> thanks
>
> [-release should've gotten this, bad typo]
...but still didn't get it (the mail, that is) :-) You need to CC the
receiving package on reassigns; otherwise they just get the control@
result mail, not any of your explanatory text.
> This bug reported by Raphael lead to a wider search of security relevant
> issues and I'm afraid we can't ship syscp in squeeze as it is. There are
> several 'exec' commands not escaped (some manually escaped by string
> replacing shell special chars) and I'm not willing to take the risk of a
> release for this package.
>
> Since I use this package I'm not giving up on it. So please remove it
> from testing for now and maybe (after the release or whenever) we can
> have it back again some time...
Removal hint added.
Regards,
Adam
--- End Message ---
Reply to: