[debhelper-devel] Bug#697136: debhelper: Remote code execution, shell expansion through well-crafted source packages

Niels Thykier niels at thykier.net
Wed Sep 2 19:48:30 UTC 2015


Control: tags -1 wontfix

On Wed, 2 Jan 2013 12:45:35 -0400 Joey Hess <joeyh at debian.org> wrote:
> No, I refuse to allow debian/control to become a security boundry
> which I have to worry about.  There are too many legitimate ones in the
> world.
> 
> -- 
> see shy jo

Hi,

I agree with Joey on this one.  At the point you start the build, you
are trusting the package (upstream build included) to not brick/take
over your machine.
  Arbitrary code execution in a package build is a dime a dozen.  You
can much easier hide something in the upstream build, which would not
stand out (unlike the given examples).

That said, there are certainly other programs that need to be a lot more
careful than debhelper.  As an example, I can mention Lintian.  If you
were able to reproduce such an issue while running such a program on a
crufted package, please do send the security team a notification.

Thanks,
~Niels



More information about the debhelper-devel mailing list