Bug#1091198: bullseye-pu: package ucf/3.0043+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1091198: bullseye-pu: package ucf/3.0043+deb11u1
From: Mark Hindley <leepen@debian.org>
Date: Mon, 23 Dec 2024 11:54:18 +0000
Message-id: <[🔎] Z2lPalbs_uIeG_B5@hindley.org.uk>
Reply-to: Mark Hindley <leepen@debian.org>, 1091198@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye security
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ucf@packages.debian.org
Control: affects -1 + src:ucf

Hello,

Please consider accepting src:ucf version 3.0043+deb11u1 into
bullseye. This would fix #1089015.

[ Reason ]

I have recently completed salvaging of src:ucf[1]. As part of code review I
discovered a variable inherited from the environment without initialisation
which is subsequently passed to eval[2]. Command injection is trivial to
demonstrate.

The Security team have been consulted and are content to handle this through
-pu.

To me, the issue appears to be a coding oversight. It is present in all current
stable releases.

[ Impact ]

The security issue will remain.

[ Tests ]

Manual testing has not exposed any regressions.

[ Risks ]

The fix is obvious and straightforward. There is a theoretical risk that users
might be using this inheritance as an undocumented 'feature'. However, nobody
has indicated awareness of this[3] so far.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable (but see below)

[ Changes ]

Initialise 'saved' variable before use to prevent inheritance from the
environment.

[ Other info ]

The fix in unstable/testing is different: the code has been rewritten so as to
remove virtually all uses of eval and remove the need to save/restore $@.

[1]  https://bugs.debian.org/1086847

[2]  https://bugs.debian.org/1089015

[3]  https://lists.debian.org/debian-devel/2024/12/msg00424.html

Thanks

Mark

diff -Nru ucf-3.0043+deb11u1/debian/changelog ucf-3.0043/debian/changelog
--- ucf-3.0043+deb11u1/debian/changelog	2024-12-23 11:41:23.000000000 +0000
+++ ucf-3.0043/debian/changelog	2020-06-16 06:37:53.000000000 +0100
@@ -1,9 +1,3 @@
-ucf (3.0043+deb11u1) bullseye; urgency=medium
-
-  * Initialise variable subsequently passed to eval. (Closes: #1089015)
-
- -- Mark Hindley <leepen@debian.org>  Mon, 23 Dec 2024 11:41:23 +0000
-
 ucf (3.0043) unstable; urgency=high
 
   * The argument to dpkg-divert needs to be the actual file name, not the
diff -Nru ucf-3.0043+deb11u1/ucf ucf-3.0043/ucf
--- ucf-3.0043+deb11u1/ucf	2024-12-23 11:41:23.000000000 +0000
+++ ucf-3.0043/ucf	2020-06-16 06:37:53.000000000 +0100
@@ -342,7 +342,6 @@
 OLD_SUFFIX="ucf-old"
 ERR_SUFFIX="merge-error"
 # save up the cmdline with proper quoting/escaping
-saved=
 for arg in "$@"; do
     saved="${saved:+$saved }'$(quote_single "$arg")'"
 done

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package ucf/3.0043+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1091198: bullseye-pu: package ucf/3.0043+deb11u1
  - From: Mark Hindley <leepen@debian.org>
- Processed: Re: Bug#1091198: bullseye-pu: package ucf/3.0043+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bullseye-pu: package ucf/3.0043+deb11u1
Next by Date: Bug#1091198: bullseye-pu: package ucf/3.0043+deb11u1
Previous by thread: Bug#1085408: marked as done ((some kind of) transition: add python3.13 as a supported python3 version)
Next by thread: Processed: bullseye-pu: package ucf/3.0043+deb11u1
Index(es):
- Date
- Thread