[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linking monotone with the official lua shared library as distributed by Debian

Tomas Fasth <tomfa@debian.org> writes:

> Hello,
> This letter is addressed to the monotone mailing list as well as the
> debian maintainer of the lua shared library in Debian and the
> debian-security mailing list.
> Background:
> Monotone is currently linked statically against it's own copy of the
> lua library. The monotone authors motivation is, quote: "we're
> disabling io_popen here because it calls shell, and is thereby a
> horrible security hole in waiting". A similar comment is made about
> io_execute.
> What I don't understand, and would appreciate you to comment on, is
> why this is regarded as "a horrible security hole in waiting" by the
> monotone developers but not by Debian itself.
> Question 1:
> Is it a security hole in general or only applicable to monotone?
> Question 2:
> If the monotone developers security concern is applicable outside
> monotone, shouldn't the lua library in Debian be patched in the same
> way?
> I would very much like to resolve this issue in such a way that I
> can begin to link monotone with the lua library provided by Debian.
> The diff is attached to this letter.

It looks like they want to avoid the following kind of exploits:

execute("echo `rm -rf /`");

When calling a shell it will interpret the `` and start deleting.

The patch indicates that there is a buildin execute function, which
they disabled, and an external one using execvp. This changes the
syntax of execute(), changes the amount of shell quoting needed to the
argument(s) and avoids such missing quotings to escape.


Reply to: