Bug#809318: bts: overrides user-specified value of sendmail
Daniel Shahaf
danielsh at apache.org
Tue Dec 29 10:15:15 UTC 2015
Package: devscripts
Version: 2.15.9
Severity: important
Dear Maintainer,
bts(1) sent an email without my permission:
..
% bts --sendmail='() { cat $1 > /dev/tty }' reopen 999999
--sendmail command contained funny characters: ()
Reverting to default value /usr/sbin/sendmail
%
..
I expected it to invoke «system('() { cat $1 > /dev/tty } /path/to/file')»¹,
which would have printed the email to /dev/tty without sending it.
Personally, I don't see why bts(1) validates the user-specified value:
there's no trust boundary here so there's no need to guard for shell
injections. That said, if validation is done and fails, bts(1) should
simply error out hard.
So, I think the validation should either be dropped (see attached patch)
or changed from warn() to die(). But whatever you do, don't second-guess
the user :-)
Cheers,
Daniel
P.S. Setting severity=important due to the potential to send emails
without permission, or using the wrong sendmail, but feel free to lower.
Also, the patch doesn't cause system() to be invoked on the argument
value; the value is split on spaces and fed to exec(), which fails with
«Can't exec "()": No such file or directory at scripts/bts.pl line 2651.».
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc -tc"
DEBUILD_LINTIAN_OPTS="--display-info --display-experimental --pedantic --fail-on-warnings --color=always"
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.4
ii libc6 2.21-6
ii perl 5.22.1-3
ii python3 3.4.3-7
pn python3:any <none>
Versions of packages devscripts recommends:
ii at 3.1.18-2
ii curl 7.45.0-1+b1
ii dctrl-tools 2.24-1
pn debian-keyring <none>
pn dput | dupload <none>
pn equivs <none>
ii fakeroot 1.20.2-1
ii file 1:5.25-2
ii gnupg 1.4.20-1
pn libdistro-info-perl <none>
ii libencode-locale-perl 1.05-1
ii libjson-perl 2.90-1
ii liblwp-protocol-https-perl 6.06-2
pn libsoap-lite-perl <none>
ii liburi-perl 1.69-1
ii libwww-perl 6.15-1
ii lintian 2.5.39.1
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
pn python3-debian <none>
pn python3-magic <none>
ii sensible-utils 0.0.9
ii strace 4.10-3
pn unzip <none>
pn wdiff <none>
ii wget 1.17.1-1
ii xz-utils 5.1.1alpha+20120614-2.1
Versions of packages devscripts suggests:
ii bsd-mailx [mailx] 8.1.2-0.20150408cvs-1
ii build-essential 12.1
pn cvs-buildpackage <none>
pn debbindiff <none>
pn devscripts-el <none>
pn gnuplot <none>
ii gpgv 1.4.20-1
ii libauthen-sasl-perl 2.1600-1
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.03-1
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
ii mutt 1.5.24-1
ii openssh-client [ssh-client] 1:7.1p1-5
pn svn-buildpackage <none>
ii w3m 0.5.3-26
-- debconf-show failed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dont-validate.diff
Type: text/x-diff
Size: 1864 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20151229/927fc291/attachment.diff>
More information about the devscripts-devel
mailing list