Bug#757529: devscripts: script for diffing packages on snapshot.debian.org
Jakub Wilk
jwilk at debian.org
Sat Aug 9 15:46:48 UTC 2014
Hi Michael,
This part doesn't look good:
> info=$(wget $url/mr/file/$hash/info -q -O-)
> name=$(echo $info | grep -Po '"'"name"'"\s*:\s*"\K([^"]*)')
> if test $name = $1_$2.dsc; then
> path=$(echo $info | grep -Po '"'"path"'"\s*:\s*"\K([^"]*)')
> date=$(echo $info | grep -Po '"'"first_seen"'"\s*:\s*"\K([^"]*)')
> dget --quiet --download-only $dget $url/archive/debian/$date$path/$1\_$2.dsc >&2
A MITM attacker could inject options to the dget command-line.
Conveniently for the attacker, --build seems to take precedence over
--download-only, so it can be abused to execute arbitrary code.
--
Jakub Wilk
More information about the devscripts-devel
mailing list