Fun job: Please test/review patch for picocom CVE-2015-9059

To: debian-security@lists.debian.org
Cc: Matt Palmer <mpalmer@debian.org>
Subject: Fun job: Please test/review patch for picocom CVE-2015-9059
From: "W. Martin Borgert" <debacle@debian.org>
Date: Wed, 31 May 2017 16:49:49 +0200
Message-id: <[🔎] 20170531164949.Horde.LgUyPCs9tm2cWwMRqfo2kDT@webmail.in-berlin.de>

Hi security,

there is a problem with the picocom terminal emulator:

picocom before 2.0 has a command injection vulnerability in the
'send and receive file' command because the command line is
executed by /bin/sh unsafely.

(https://security-tracker.debian.org/tracker/CVE-2015-9059)

The bug report https://bugs.debian.org/863671 contains a patch,
but I'm not sure whether it does what it should.

A test case would be wonderful!

If nobody can review or test the patch, there are other options:

 - remove picocom 1.7 from stretch (2.2 is in experimental and
   does not have the vulnerability, it will be in unstable ASAP
   and will be backported to both Stretch and Jessie)

 - just disable 'send and receive file', which nowadays is not
   very important anymore, I need to check how easy this is,
   but I'm optimistic

 - document the problem, but ignore it otherwise, because not
   many people will use file transfer anyway - this is neither
   heartbleed nor shellshock; no fancy name, no logo

TIA & Cheers

Reply to:

Prev by Date: Current LiveCDs don't include UFW!
Previous by thread: Current LiveCDs don't include UFW!
Index(es):
- Date
- Thread