Your message dated Fri, 14 Aug 2015 17:43:03 +0200 with message-id <20150814154303.GA20350@crossbow> and subject line Re: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp has caused the Debian Bug report #754041, regarding "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 754041: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754041 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
- From: Jakub Wilk <jwilk@debian.org>
- Date: Sun, 6 Jul 2014 23:49:26 +0200
- Message-id: <20140706214926.GA8271@jwilk.net>
Package: apt Version: 1.1~exp1 Severity: minor Tags: security First of all, thanks for bringing new exciting features to apt! I'm afraid, however, that one of these features, namely * add support for "apt-get build-dep unpacked-source-dir" brought an unanticipated security regression. Consider the following command: # apt-get build-dep nyancatIt used to be safe to execute it regardless of what your working directory was. But in apt_1.1~exp1, this is no longer secure if cwd is a world-writable, for example /tmp. A local malicious user could create crafted /tmp/nyancat/debian/control, tricking apt into installing packages of their choice. Or they could symlink /tmp/nyancat/debian/control to /dev/urandom...-- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2012.4 ii gnupg 1.4.18-1 ii libapt-pkg4.13 1.1~exp1 ii libc6 2.19-4 ii libgcc1 1:4.9.0-10 ii libstdc++6 4.9.0-10 -- Jakub Wilk
--- End Message ---
--- Begin Message ---
- To: 754041-done@bugs.debian.org
- Subject: Re: Bug#754041: "apt-get build-dep <pkgname>" no longer secure when cwd=/tmp
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 14 Aug 2015 17:43:03 +0200
- Message-id: <20150814154303.GA20350@crossbow>
- In-reply-to: <20140708131648.GE8875@bod>
- References: <20140706214926.GA8271@jwilk.net> <20140708131648.GE8875@bod>
Version: 1.1~exp2 On Tue, Jul 08, 2014 at 03:16:48PM +0200, Michael Vogt wrote: > Good point, thanks a lot for bring this to our attention. I changed > the code now so that it prints when using a file/directory so that the > user is aware of it (as suggested by David). > > And as you suggested it now enforces that it needs a path starting > with ./ or /. Implemented and documented in the changelog, but the bug was never closed, lets fix that now… Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---