--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package plowshare4/1.0.5-2
- From: Carl Suster <carl@contraflo.ws>
- Date: Wed, 15 Jul 2015 14:08:18 +1000
- Message-id: <20150715040818.19005.32231.reportbug@debchip>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Plowshare is a series of shell scripts for interacting with file sharing
websites. Some of the scripts use the js binary provided by rhino to execute
fragments of javascript downloaded from the internet. The RC bug #791467 was
opened to point out that this is a bad idea.
The targeted fix in 1.0.5-2 simply removes the dependency on rhino and causes
plowshare to act as though javascript is unavailable. This decisively fixes the
issue at the expense of breaking compatibility with a few supported websites.
However these break over time as the sites change so most users are likely to
be using a backported version.
I'm currently working on packaging new upstream versions and looking into a
less aggressive fix which might execute the javascript in a sandboxed
environment. I hope those packages will eventually make it into backports but
for the meantime I think this crude fix is a reasonable compromise for now.
I am hoping a mentor will upload 1.0.5-2 into unstable soon, but I would also
like to have it uploaded to stable.
Cheers,
Carl
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru plowshare4-1.0.5/debian/changelog plowshare4-1.0.5/debian/changelog
--- plowshare4-1.0.5/debian/changelog 2014-09-04 11:43:49.000000000 +1000
+++ plowshare4-1.0.5/debian/changelog 2015-07-15 11:45:00.000000000 +1000
@@ -1,3 +1,9 @@
+plowshare4 (1.0.5-2) stable; urgency=high
+
+ * Disable javascript support (Closes: #791467)
+
+ -- Carl Suster <carl@contraflo.ws> Tue, 14 Jul 2015 18:45:22 +1000
+
plowshare4 (1.0.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru plowshare4-1.0.5/debian/control plowshare4-1.0.5/debian/control
--- plowshare4-1.0.5/debian/control 2014-09-01 13:24:42.000000000 +1000
+++ plowshare4-1.0.5/debian/control 2015-07-15 11:45:00.000000000 +1000
@@ -10,7 +10,7 @@
Package: plowshare4
Architecture: all
-Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl, rhino
+Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl
Recommends: qiv | feh | sxiv | imagemagick
Suggests: aview | caca-utils, fbi
Description: Download and upload files from file sharing websites
diff -Nru plowshare4-1.0.5/debian/gbp.conf plowshare4-1.0.5/debian/gbp.conf
--- plowshare4-1.0.5/debian/gbp.conf 2014-09-01 13:28:38.000000000 +1000
+++ plowshare4-1.0.5/debian/gbp.conf 2015-07-15 13:01:39.000000000 +1000
@@ -10,7 +10,7 @@
[buildpackage]
sign-tags = True
-prebuild = git describe --always --tags --abbrev=0 > debian/git-describe
+prebuild = echo "v1.0.5" > debian/git-describe
postbuild = lintian $GBP_CHANGES_FILE
dist = sid
pbuilder = True
diff -Nru plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch
--- plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch 1970-01-01 10:00:00.000000000 +1000
+++ plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch 2015-07-15 11:45:00.000000000 +1000
@@ -0,0 +1,56 @@
+Author: Carl Suster <carl@contraflo.ws>
+Bug-Debian: http://bugs.debian.org/791467
+Description: Disable javascript execution
+ Plowshare uses rhino CLI to execute javascript downloaded from the Internet.
+ Since this is not filtered or sandboxed at all, the javascript can obtain
+ arbitrary access to the system and so this patch disables it.
+ .
+ Some modules will be broken by this change, but since the modules will break
+ anyway it is expected that most users will be using a more recent version of
+ this package, and in future less aggressive fixes will be investigated.
+
+Index: plowshare/src/core.sh
+===================================================================
+--- plowshare.orig/src/core.sh
++++ plowshare/src/core.sh
+@@ -1175,34 +1175,22 @@ post_login() {
+ fi
+ }
+
++# NB: Javascript disabled due to #791467
+ # Detect if a JavaScript interpreter is installed
+ # $? is zero on success
+ detect_javascript() {
+- if ! type -P js >/dev/null 2>&1; then
+- log_notice 'Javascript interpreter not found. Please install one!'
+- return $ERR_SYSTEM
+- fi
++ log_notice 'Use of Javascript interpreter is disabled in debian for security.'
++ return $ERR_SYSTEM
+ }
+
++# NB: Javascript disabled due to #791467
+ # Execute javascript code
+ #
+ # stdin: js script
+ # stdout: script result
+ javascript() {
+- local TEMPSCRIPT
+-
+- detect_javascript || return
+- TEMPSCRIPT=$(create_tempfile '.js') || return
+- cat > "$TEMPSCRIPT"
+-
+- log_report "interpreter: $(type -P js)"
+- log_report '=== JAVASCRIPT BEGIN ==='
+- logcat_report "$TEMPSCRIPT"
+- log_report '=== JAVASCRIPT END ==='
+-
+- command js "$TEMPSCRIPT"
+- rm -f "$TEMPSCRIPT"
+- return 0
++ log_notice 'Use of Javascript interpreter is disabled in debian for security.'
++ return $ERR_SYSTEM
+ }
+
+ # Wait some time
diff -Nru plowshare4-1.0.5/debian/patches/series plowshare4-1.0.5/debian/patches/series
--- plowshare4-1.0.5/debian/patches/series 1970-01-01 10:00:00.000000000 +1000
+++ plowshare4-1.0.5/debian/patches/series 2015-07-15 11:45:00.000000000 +1000
@@ -0,0 +1 @@
+01-diasble-javascript.patch
--- End Message ---