On Wed, 13 Mar 2019 16:41:02 +0100 Jakub Wilk wrote: > We could append or prepend a character to %d to make sure the argument > won't disappear after %-expansion, for example:
I decided to just check if the arguments are integers, attached the patch. -- bye, pabs https://wiki.debian.org/PaulWise
From 2d32c124ec8687e353fc32950d2d719fac0f671d Mon Sep 17 00:00:00 2001 From: Paul Wise <p...@debian.org> Date: Wed, 13 Mar 2019 14:15:00 +0800 Subject: [PATCH 02/11] Handle older versions of the Linux kernel in a safer way The Linux kernel does argument splitting after parameter expansion, leading to an attacker on old kernels being able control the owner variable, leading to the creation of bogus root-owned directories. Fixes: https://bugs.debian.org/924398 --- debian/changelog | 2 ++ debian/dump | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8916e17..c86672b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ corekeeper (1.7) UNRELEASED; urgency=medium * Do not use a world-writable /var/crash with the dumper script (Closes: #924397) + * Handle older versions of the Linux kernel in a safer way + (Closes: #924398) -- Paul Wise <p...@debian.org> Wed, 13 Mar 2019 14:09:50 +0800 diff --git a/debian/dump b/debian/dump index e8fc3fd..a0230e6 100644 --- a/debian/dump +++ b/debian/dump @@ -28,15 +28,26 @@ if [ "$(id -u)" != "0" ]; then exit 1 fi -# Check how many arguments the kernel sent us. -if [ $# -eq 2 ] ; then +# Check if the first two arguments are numeric +case "$1" in + (*[!0-9]*|'') num_1=1;; + (*) num_1=0;; +esac + +case "$2" in + (*[!0-9]*|'') num_2=1;; + (*) num_2=0;; +esac + +# Check how many numeric arguments the kernel sent us. +if [ "$num_1" -eq 1 ] && [ "$num_2" -eq 0 ] ; then # Awww, old kernel that does not support %d # Cannot set the core file owner safely, use root # See v3.6-6800-g12a2b4b in linux.git for more info uid="$1" core="$2" owner="0" -elif [ $# -eq 3 ] ; then +elif [ "$num_1" -eq 1 ] && [ "$num_2" -eq 1 ] ; then # Yay! A kernel that does support %d uid="$2" core="$3" -- 2.20.1
signature.asc
Description: This is a digitally signed message part
