Package: ircii
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Version: 20210314+really20190117-1
Severity: serious
Tags: security
File: /usr/bin/ircII
I straced the startup of ircII. I observed this
access("/u/testac/.irc/local", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/share/ircII//script/local", F_OK) = -1 ENOENT (No such file or
directory)
access("./local", F_OK) = -1 ENOENT (No such file or directory)
access("/u/testac/.irc/local.Z", F_OK) = -1 ENOENT (No such file or directory)
access("/usr/share/ircII//script/local.Z", F_OK) = -1 ENOENT (No such file or
directory)
access("./local.Z", F_OK) = -1 ENOENT (No such file or directory)
Scanning the CWD for configuration is poor practice. A user who runs
"irc" in a directory containing a file "local" (and perhaps others)
sill have that file read and interpreted by ircII.
I think this is a security issue, hence the "serious" severity.
However, it isn't readily exploitable so I have chosen to simply file
a bug.
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-15-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages ircii depends on:
ii libc6 2.31-13+deb11u3
ii libcrypt1 1:4.4.18-4
ii libssl1.1 1.1.1n-0+deb11u3
ii libtinfo6 6.2+20201114-2
ircii recommends no packages.
ircii suggests no packages.
-- Configuration Files:
/etc/irc/motd [Errno 2] No such file or directory: '/etc/irc/motd'
/etc/irc/script/local changed [not included]
-- no debconf information
