On Sun, Jan 14, 2018 at 08:04:12PM +0100, Helmut Grohne wrote: > Package: drobo-utils [...] > /usr/lib/python2.7/dist-packages/Drobo.py contains mke2fs. According to file > it is a Python script, ASCII text executable, with very long lines
The mke2fs command is found in a function called 'format_script' which according to it's description only returns a script that formats a LUN according to given parameters. One of them being filesystem type so ext* is only one case among several. The script seems to be written to a file and the path returned. The path is hardcoded file in /tmp which likely means drobo-utils suffers from a tempfile vulnerability: https://sources.debian.org/src/drobo-utils/0.6.1+repack-2/Drobo.py/#L369 Apart from ext* there's also support for ntfs or FAT32/msdos filesystems which results in the commands mkntfs or mkdosfs being used instead of mke2fs. There's no relationship specified against ntfs-3g or dosfstools so I guess either there's no need a e2fsprogs relationship or all three of them are missing. Would be great to hear from maintainers how they view this.... > /usr/lib/python2.7/dist-packages/DroboGUI.py contains mke2fs. According to > file it is a Python script, ASCII text executable, with very long lines [...] This more or less could be considered a false positive. The gui seems to run 'which mke2fs' and if there's no result the following text is shown: 'Ext3 disabled (missing mke2fs)' (Similar code also available for dos and ntfs.) Given that the GUI is the only thing using the format_script function and the GUI seems to disable using filesystems for which a tool is not available, my conclusion would be that at most a Recommends is warranted (for all three of e2fsprogs, dosfstools, ntfs-3g). Again would be great to hear from maintainers what their view on this is.... Regards, Andreas Henriksson
