Package: devscripts
Version: 2.15.9
Severity: important
Dear Maintainer,
bts(1) sent an email without my permission:
..
% bts --sendmail='() { cat $1 > /dev/tty }' reopen 999999
--sendmail command contained funny characters: ()
Reverting to default value /usr/sbin/sendmail
%
..
I expected it to invoke «system('() { cat $1 > /dev/tty } /path/to/file')»¹,
which would have printed the email to /dev/tty without sending it.
Personally, I don't see why bts(1) validates the user-specified value:
there's no trust boundary here so there's no need to guard for shell
injections. That said, if validation is done and fails, bts(1) should
simply error out hard.
So, I think the validation should either be dropped (see attached patch)
or changed from warn() to die(). But whatever you do, don't second-guess
the user :-)
Cheers,
Daniel
P.S. Setting severity=important due to the potential to send emails
without permission, or using the wrong sendmail, but feel free to lower.
Also, the patch doesn't cause system() to be invoked on the argument
value; the value is split on spaces and fed to exec(), which fails with
«Can't exec "()": No such file or directory at scripts/bts.pl line 2651.».
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc -tc"
DEBUILD_LINTIAN_OPTS="--display-info --display-experimental --pedantic
--fail-on-warnings --color=always"
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.4
ii libc6 2.21-6
ii perl 5.22.1-3
ii python3 3.4.3-7
pn python3:any <none>
Versions of packages devscripts recommends:
ii at 3.1.18-2
ii curl 7.45.0-1+b1
ii dctrl-tools 2.24-1
pn debian-keyring <none>
pn dput | dupload <none>
pn equivs <none>
ii fakeroot 1.20.2-1
ii file 1:5.25-2
ii gnupg 1.4.20-1
pn libdistro-info-perl <none>
ii libencode-locale-perl 1.05-1
ii libjson-perl 2.90-1
ii liblwp-protocol-https-perl 6.06-2
pn libsoap-lite-perl <none>
ii liburi-perl 1.69-1
ii libwww-perl 6.15-1
ii lintian 2.5.39.1
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
pn python3-debian <none>
pn python3-magic <none>
ii sensible-utils 0.0.9
ii strace 4.10-3
pn unzip <none>
pn wdiff <none>
ii wget 1.17.1-1
ii xz-utils 5.1.1alpha+20120614-2.1
Versions of packages devscripts suggests:
ii bsd-mailx [mailx] 8.1.2-0.20150408cvs-1
ii build-essential 12.1
pn cvs-buildpackage <none>
pn debbindiff <none>
pn devscripts-el <none>
pn gnuplot <none>
ii gpgv 1.4.20-1
ii libauthen-sasl-perl 2.1600-1
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.03-1
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
ii mutt 1.5.24-1
ii openssh-client [ssh-client] 1:7.1p1-5
pn svn-buildpackage <none>
ii w3m 0.5.3-26
-- debconf-show failed
diff --git a/scripts/bts.pl b/scripts/bts.pl
index e431c6f..50c0b95 100755
--- a/scripts/bts.pl
+++ b/scripts/bts.pl
@@ -538,18 +538,6 @@ if (@ARGV and $ARGV[0] =~ /^--no-?conf$/) {
$config_vars{'BTS_INTERACTIVE'} =~ /^(yes|no|force)$/
or $config_vars{'BTS_INTERACTIVE'} = 'no';
- if (!length $config_vars{'BTS_SMTP_HOST'}
- and $config_vars{'BTS_SENDMAIL_COMMAND'} ne '/usr/sbin/sendmail') {
- my $cmd = (split ' ', $config_vars{'BTS_SENDMAIL_COMMAND'})[0];
- unless ($cmd =~ /^~?[A-Za-z0-9_\-\+\.\/]*$/) {
- warn "BTS_SENDMAIL_COMMAND contained funny characters: $cmd\nReverting to default value /usr/sbin/sendmail\n";
- $config_vars{'BTS_SENDMAIL_COMMAND'}='/usr/sbin/sendmail';
- } elsif (system("command -v $cmd >/dev/null 2>&1") != 0) {
- warn "BTS_SENDMAIL_COMMAND $cmd could not be executed.\nReverting to default value /usr/sbin/sendmail\n";
- $config_vars{'BTS_SENDMAIL_COMMAND'}='/usr/sbin/sendmail';
- }
- }
-
foreach my $var (sort keys %config_vars) {
if ($config_vars{$var} ne $config_default{$var}) {
$modified_conf_msg .= " $var=$config_vars{$var}\n";
@@ -674,20 +662,6 @@ $smtppass = $opt_smtppass if $opt_smtppass;
$smtphelo = $opt_smtphelo if $opt_smtphelo;
if ($opt_sendmail) {
- if ($opt_sendmail ne '/usr/sbin/sendmail'
- and $opt_sendmail ne $sendmailcmd) {
- my $cmd = (split ' ', $opt_sendmail)[0];
- unless ($cmd =~ /^~?[A-Za-z0-9_\-\+\.\/]*$/) {
- warn "--sendmail command contained funny characters: $cmd\nReverting to default value $sendmailcmd\n";
- undef $opt_sendmail;
- } elsif (system("command -v $cmd >/dev/null 2>&1") != 0) {
- warn "--sendmail command $cmd could not be executed.\nReverting to default value $sendmailcmd\n";
- undef $opt_sendmail;
- }
- }
-}
-
-if ($opt_sendmail) {
$sendmailcmd = $opt_sendmail;
$smtphost = '';
} else {
