Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp

To: 754041@bugs.debian.org
Subject: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 8 Jul 2014 00:14:35 +0200
Message-id: <[🔎] 20140707221435.GA9189@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 754041@bugs.debian.org
In-reply-to: <[🔎] 20140707213250.GC30811@crossbow>
References: <[🔎] 20140706214926.GA8271@jwilk.net> <[🔎] 20140707213250.GC30811@crossbow>

* David Kalnischkies <david@kalnischkies.de>, 2014-07-07, 23:32:

 # apt-get build-dep nyancat
Even if we ignore security for a moment I am not a fan of this syntaxas it is too suprising for me.


I don't like it either. :)

I think I would be happier if this would always require arelative/absolute path rather than just a directory name ala: apt-getbuild-dep ./nyancat
(aka: at least one / in the pkgname before a file lookup is attempt.And a message like those for regex/glob if it matched anything)


Note that this was valid syntax in apt (<< 1.1):

# apt-get build-dep nyancat/unstable

So we might need a stricter rule than "at least one / ...".

Perhaps something like this: the argument must start with "./" or startwith "/" or end with "/" to be considered a directory name?


--
Jakub Wilk

Reply to:

References:
- Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Next by Date: Bug#742882: apt: Does not support LFS .deb packages on 32-bit systems
Previous by thread: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Next by thread: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
Index(es):
- Date
- Thread