Bug#1091196: bookworm-pu: package ucf/3.0043+nmu1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1091196: bookworm-pu: package ucf/3.0043+nmu1+deb12u1
From: Mark Hindley <leepen@debian.org>
Date: Mon, 23 Dec 2024 11:11:20 +0000
Message-id: <[🔎] Z2lFWLm2yVZPpHiY@hindley.org.uk>
Reply-to: Mark Hindley <leepen@debian.org>, 1091196@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm security
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ucf@packages.debian.org
Control: affects -1 + src:ucf

Hello,

Please consider accepting src:ucf version 3.0043+nmu1+deb12u1 into
bookworm. This would fix #1089015.

[ Reason ]

I have recently completed salvaging of src:ucf[1]. As part of code review I
discovered a variable inherited from the environment without initialisation
which is subsequently passed to eval[2]. Command injection is trivial to
demonstrate.

The Security team have been consulted and are content to handle this through
-pu.

To me, the issue appears to be a coding oversight. It is present in all current
stable releases.

[ Impact ]

The security issue will remain.

[ Tests ]

Manual testing has not exposed any regressions.

[ Risks ]

The fix is obvious and straightforward. There is a theoretical risk that users
might be using this inheritance as an undocumented 'feature'. However, nobody
has indicated awareness of this[3] so far.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable (but see below)

[ Changes ]

Initialise 'saved' variable before use to prevent inheritance from the
environment.

[ Other info ]

The fix in unstable/testing is different: the code has been rewritten so as to
remove virtually all uses of eval and remove the need to save/restore $@.

[1]  https://bugs.debian.org/1086847

[2]  https://bugs.debian.org/1089015

[3]  https://lists.debian.org/debian-devel/2024/12/msg00424.html

Thanks

Mark

dpkg-source: warning: extracting unsigned source package (/home/mark/src/debian/build/ucf_3.0043+nmu1.dsc)
diff -Nru ucf-3.0043+nmu1/debian/changelog ucf-3.0043+nmu1+deb12u1/debian/changelog
--- ucf-3.0043+nmu1/debian/changelog	2023-01-27 13:29:51.000000000 +0000
+++ ucf-3.0043+nmu1+deb12u1/debian/changelog	2024-12-20 07:39:40.000000000 +0000
@@ -1,3 +1,9 @@
+ucf (3.0043+nmu1+deb12u1) bookworm; urgency=medium
+
+  * Initialise variable subsequently passed to eval. (Closes: #1089015)
+
+ -- Mark Hindley <leepen@debian.org>  Fri, 20 Dec 2024 07:39:40 +0000
+
 ucf (3.0043+nmu1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru ucf-3.0043+nmu1/ucf ucf-3.0043+nmu1+deb12u1/ucf
--- ucf-3.0043+nmu1/ucf	2023-01-27 13:29:51.000000000 +0000
+++ ucf-3.0043+nmu1+deb12u1/ucf	2024-12-20 07:39:40.000000000 +0000
@@ -342,6 +342,7 @@
 OLD_SUFFIX="ucf-old"
 ERR_SUFFIX="merge-error"
 # save up the cmdline with proper quoting/escaping
+saved=
 for arg in "$@"; do
     saved="${saved:+$saved }'$(quote_single "$arg")'"
 done

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package ucf/3.0043+nmu1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1091196: ucf 3.0043+nmu1+deb12u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: bookworm-pu: package ucf/3.0043+nmu1+deb12u1
Next by Date: Bug#1085408: marked as done ((some kind of) transition: add python3.13 as a supported python3 version)
Previous by thread: Bug#1087659: marked as done (transition: coinor-ipopt)
Next by thread: Processed: bookworm-pu: package ucf/3.0043+nmu1+deb12u1
Index(es):
- Date
- Thread