Hello, This letter is addressed to the monotone mailing list as well as the debian maintainer of the lua shared library in Debian and the debian-security mailing list. Background: Monotone is currently linked statically against it's own copy of the lua library. The monotone authors motivation is, quote: "we're disabling io_popen here because it calls shell, and is thereby a horrible security hole in waiting". A similar comment is made about io_execute. What I don't understand, and would appreciate you to comment on, is why this is regarded as "a horrible security hole in waiting" by the monotone developers but not by Debian itself. Question 1: Is it a security hole in general or only applicable to monotone? Question 2: If the monotone developers security concern is applicable outside monotone, shouldn't the lua library in Debian be patched in the same way? I would very much like to resolve this issue in such a way that I can begin to link monotone with the lua library provided by Debian. The diff is attached to this letter. -- Tomas Fasth <tomfa@debian.org> GnuPG KeyId: 0x9FE8D504 Fingerprint: DC7B 9453 7F26 1BF9 6B21 9F90 C187 7355 9FE8 D504
--- lua/lua50-5.0.2/src/lib/liolib.c 2005-07-24 10:27:30.480000000 +0000 +++ monotone/monotone-0.21/lua/liolib.c 2005-07-17 23:02:12.000000000 +0000 @@ -149,14 +149,7 @@ if (f == stdin || f == stdout || f == stderr) return 0; /* file cannot be closed */ else { - int ok; - errno = 0; - ok = (pclose(f) != -1); - if (!ok) { - if (errno == ECHILD) ok = 1; /* pclose worked, but could reap child */ - else ok = (fclose(f) == 0); - } - + int ok = (pclose(f) != -1) || (fclose(f) == 0); if (ok) *(FILE **)lua_touserdata(L, 1) = NULL; /* mark file as closed */ return ok; @@ -503,7 +496,15 @@ {"close", io_close}, {"flush", io_flush}, {"open", io_open}, - {"popen", io_popen}, + + /* + monotone specific: we're disabling io_popen here because + it calls shell, and is thereby a horrible security hole in + waiting. + */ + + /* {"popen", io_popen}, */ + {"read", io_read}, {"tmpfile", io_tmpfile}, {"type", io_type}, @@ -728,7 +729,16 @@ {"clock", io_clock}, {"date", io_date}, {"difftime", io_difftime}, - {"execute", io_execute}, + + /* + monotone specific: we're disabling io_execute here because + it calls shell, and is thereby a horrible security hole in + waiting. use the execute() function (which uses posix.execvp) + in std_hooks.lua. + */ + + /* {"execute", io_execute}, */ + {"exit", io_exit}, {"getenv", io_getenv}, {"remove", io_remove},
Attachment:
signature.asc
Description: OpenPGP digital signature