Bug#801398: [Patch] Replace Dpkg::IPC::spawn with IPC::Run::run
Osamu Aoki
osamu at debian.org
Sat Oct 10 08:16:45 UTC 2015
Hi,
On Fri, Oct 09, 2015 at 07:36:21PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Fri, Oct 09, 2015 at 05:22:16PM +0200, Sandro Mani wrote:
> > Some time back licensecheck grew a dependency on Dpkg::IPC [1], which on
> > Fedora causes the "devscripts-minimal" package (which includes licensecheck)
> > to pull in dpkg. I'd like to propose the patch below to reduce the
> > dependency load:
> [...]
>
> If this is changed, one needs to make sure that CVE-2015-5705 /
> #794365 isn't reintroduced (argument injection vulnerability).
I understand back-tick is problematic as CVE-2015-5705. (hmmm ...
something to keep in mind :-) Avoiding it was a good idea.
Both Dpkg::IPC and IPC::Run seem to offer similar functionality and
similar security protection by using the list of strings instead of a
long shell interpreted command string. So this change itself looks like
neutral for the concern raised by Salvatore.(In-depth evaluation may be
a good idea. Feed back on this aspect from Sandro is appreciated.)
But before digging that deep for such security feature differences, I
fail to understand the rationale of switching from Dpkg::IPC to IPC::Run
for devscripts as presented.
I do not know how OP wishes to use this code on Fedora but if we look at
the devscripts package as a whole, the OP's claim "grew a dependency"
does not make sense. The use of Dpkg::IPC was meant to avoid growing
dependency.
Look at the package:
$ cd scripts
$ fgrep 'use Dpkg::IPC' *.pl
debdiff.pl:use Dpkg::IPC;
debuild.pl:use Dpkg::IPC;
dscverify.pl:use Dpkg::IPC;
licensecheck.pl:use Dpkg::IPC qw(spawn);
mk-build-deps.pl:use Dpkg::IPC;
mk-origtargz.pl:use Dpkg::IPC;
uscan.pl:use Dpkg::IPC;
$ fgrep 'use IPC::Run' *.pl
$
Let's also see the dependency chain on the Debian system:
IPC::Run is from libipc-run-perl
libipc-run-perl is pulled in by lintian (Depends:) -- no other important ones
lintian is pulled in by devscripts (Recommends) -- not a strong guarantee
Dpkg::IPC is from libdpkg-perl
libdpkg-perl is pulled in by dpkg-dev (Depends:)
dpkg-dev is pulled in by devscripts (Depends:) -- strong guarantee
If there is any security or technical advantages in light of the above
situation, please present it. Randomly picking similar modules in a
family of programs complicates dependency situation. If there are
merits for switching, please present them and change them all.
Without such facts and rationale, this wish should not be implemented as
requested on licensecheck.
If the wishlist bug comes with patch which enables either Dpkg::IPC or
IPC::Run after checking their availability, that may be implemented if
security concerns are not there.
Regards,
Osamu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20151010/6bd42f3a/attachment.sig>
More information about the devscripts-devel
mailing list