[debhelper-devel] Bug#697136: debhelper: Remote code execution, shell expansion through well-crafted source packages
Niels Thykier
niels at thykier.net
Wed Sep 2 19:48:30 UTC 2015
Control: tags -1 wontfix
On Wed, 2 Jan 2013 12:45:35 -0400 Joey Hess <joeyh at debian.org> wrote:
> No, I refuse to allow debian/control to become a security boundry
> which I have to worry about. There are too many legitimate ones in the
> world.
>
> --
> see shy jo
Hi,
I agree with Joey on this one. At the point you start the build, you
are trusting the package (upstream build included) to not brick/take
over your machine.
Arbitrary code execution in a package build is a dime a dozen. You
can much easier hide something in the upstream build, which would not
stand out (unlike the given examples).
That said, there are certainly other programs that need to be a lot more
careful than debhelper. As an example, I can mention Lintian. If you
were able to reproduce such an issue while running such a program on a
crufted package, please do send the security team a notification.
Thanks,
~Niels
More information about the debhelper-devel
mailing list