Package: grml-debootstrap Version: 0.68 Severity: important grml-debootstrap lacks escaping of user input. To give an example, execution with
--password '$(echo OOPS >&2)non-empty' makes grml-debootstrap execute code. Trouble characters are $ ! ` " \ . For more details please see https://github.com/grml/grml-debootstrap/issues/58 .. To my understanding, the fact that grml-debootstrap needs root permissions to be operated is the reeason why oss-security decided to not assign a CVE number, see http://thread.gmane.org/gmane.comp.security.oss.general/15483 . The bug affects all versions of grml-debootstrap (wheezy, jessie, sid). A pull request with a proposed fix hit upstream earlier today: https://github.com/grml/grml-debootstrap/pull/68 I'm filing a bug downstream, since this bug may be critical to the release of jessie. Best, Sebastian -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages grml-debootstrap depends on: ii cdebootstrap 0.5.9 ii debian-archive-keyring 2014.3~deb7u1 ii debootstrap 1.0.48+deb7u2 ii gawk 1:4.0.1+dfsg-2.1 Versions of packages grml-debootstrap recommends: ii dialog 1.1-20120215-2 ii kpartx 0.4.9+git0.4dfdaf2b-7~deb7u2 ii mksh 40.9.20120630-7 ii parted 2.3-12 ii qemu-utils 1.1.2+dfsg-6a+deb7u6 grml-debootstrap suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
