Package: apt-file Version: 3.0 Severity: normal Usertags: argument-injection Tags: security
apt-file can't search for something starting with a dash (like -foo). The reason appears to be that it passes arguments to grep without escaping them with -- so grep doesn't interpret them as options. There is a famous article that I can't find now where one can cause arbitrary code execution if one can cause arbitrary argument injection to common commands like tar. Not sure if this case is exploitable but I'm tagging this security just in case. pabs@chianamo ~ $ apt-file search -pkg-config Unknown option: p Unknown option: k Unknown option: g ... pabs@chianamo ~ $ apt-file search -- -pkg-config grep: invalid option -- 'p' Usage: grep [OPTION]... PATTERN [FILE]... Try 'grep --help' for more information. xargs: /usr/lib/apt/apt-helper: terminated by signal 13 Command xargs -0r /usr/lib/apt/apt-helper -c /etc/apt/apt-file.conf cat-file exited with code 125 at /usr/bin/apt-file line 234. A subprocess exited uncleanly (raw: 32000) - result may be incomplete at /usr/bin/apt-file line 276. -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (860, 'testing-proposed-updates'), (850, 'buildd-testing-proposed-updates'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-file depends on: ii apt 1.2.10 ii libapt-pkg-perl 0.1.29+b5 ii liblist-moreutils-perl 0.413-1+b1 ii libregexp-assemble-perl 0.36-1 ii perl 5.22.1-9 apt-file recommends no packages. apt-file suggests no packages. -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
