Bug#458789: uscan: framework for using external scripts: qx/script/
Osamu Aoki
osamu at debian.org
Mon Sep 7 12:41:36 UTC 2015
Hi,
On Sat, Sep 05, 2015 at 08:30:12PM +0200, Jakub Wilk wrote:
> Hi Osamu!
>
> * Osamu Aoki <osamu at debian.org>, 2015-09-05, 23:13:
> >Let me propose a new generic mangle rule: qx/script/
> >
> >This mangles by feeding the target $string into the STDIN of script in the
> >debian directory and reading its STDOUT back into the target $string.
>
> I'm afraid this is no-no.
>
> Please (and services like mentors.debian.net) run "uscan --report-status" on
> untrusted source packages. This change would introduce arbitrary code
> execution vulnerability.
This is an expected response :-)
True. I agree such functionality should be blocked under --dehs and
--report-status. After all any script can be executed by placing it in
place of uupdate for non- --dehs and --report-status cases.
I am curious that level of limitation is enough or not.
> >I just made a proof of concept code snippet which changes the start of
> >uscan safe_replace($$) as follows:
>
> Heh, the whole point of safe_replace() is to defuse Perl regexes, which
> normally let you execute arbitrary code.
rule may not contain any expressions which have the potential to
execute code (i.e. the (?{}) and (??{}) constructs are not supported)
I am not going push this any more. Let me get back with multitarball
thing.
Osamu
More information about the devscripts-devel
mailing list