Linking monotone with the official lua shared library as distributed by Debian

To: monotone-devel <monotone-devel@nongnu.org>, Daniel Silverstone <dsilvers@debian.org>, Debian Security List <debian-security@lists.debian.org>
Subject: Linking monotone with the official lua shared library as distributed by Debian
From: Tomas Fasth <tomfa@debian.org>
Date: Sun, 24 Jul 2005 16:04:56 +0200
Message-id: <[🔎] 42E3A008.2050907@debian.org>

Hello,

This letter is addressed to the monotone mailing list as well as the
debian maintainer of the lua shared library in Debian and the
debian-security mailing list.

Background:
Monotone is currently linked statically against it's own copy of the
lua library. The monotone authors motivation is, quote: "we're
disabling io_popen here because it calls shell, and is thereby a
horrible security hole in waiting". A similar comment is made about
io_execute.

What I don't understand, and would appreciate you to comment on, is
why this is regarded as "a horrible security hole in waiting" by the
monotone developers but not by Debian itself.

Question 1:
Is it a security hole in general or only applicable to monotone?

Question 2:
If the monotone developers security concern is applicable outside
monotone, shouldn't the lua library in Debian be patched in the same
way?

I would very much like to resolve this issue in such a way that I
can begin to link monotone with the lua library provided by Debian.

The diff is attached to this letter.

--
Tomas Fasth <tomfa@debian.org>
GnuPG KeyId: 0x9FE8D504
Fingerprint: DC7B 9453 7F26 1BF9 6B21 9F90 C187 7355 9FE8 D504

--- lua/lua50-5.0.2/src/lib/liolib.c    2005-07-24 10:27:30.480000000 +0000
+++ monotone/monotone-0.21/lua/liolib.c 2005-07-17 23:02:12.000000000 +0000
@@ -149,14 +149,7 @@
   if (f == stdin || f == stdout || f == stderr)
     return 0;  /* file cannot be closed */
   else {
-    int ok;
-    errno = 0;
-    ok = (pclose(f) != -1);
-    if (!ok) {
-      if (errno == ECHILD) ok = 1; /* pclose worked, but could reap child */
-      else ok = (fclose(f) == 0);
-    }
-
+    int ok = (pclose(f) != -1) || (fclose(f) == 0);
     if (ok)
       *(FILE **)lua_touserdata(L, 1) = NULL;  /* mark file as closed */
     return ok;
@@ -503,7 +496,15 @@
   {"close", io_close},
   {"flush", io_flush},
   {"open", io_open},
-  {"popen", io_popen},
+
+  /*
+    monotone specific: we're disabling io_popen here because
+    it calls shell, and is thereby a horrible security hole in
+    waiting.
+  */
+
+  /*   {"popen", io_popen}, */
+
   {"read", io_read},
   {"tmpfile", io_tmpfile},
   {"type", io_type},
@@ -728,7 +729,16 @@
   {"clock",     io_clock},
   {"date",      io_date},
   {"difftime",  io_difftime},
-  {"execute",   io_execute},
+
+  /*
+    monotone specific: we're disabling io_execute here because
+    it calls shell, and is thereby a horrible security hole in
+    waiting. use the execute() function (which uses posix.execvp)
+    in std_hooks.lua.
+  */
+
+  /*   {"execute",   io_execute}, */
+
   {"exit",      io_exit},
   {"getenv",    io_getenv},
   {"remove",    io_remove},

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Linking monotone with the official lua shared library as distributed by Debian
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

Prev by Date: Re: a compromised machine
Next by Date: Re: a compromised machine
Previous by thread: a compromised maschine
Next by thread: Re: Linking monotone with the official lua shared library as distributed by Debian
Index(es):
- Date
- Thread