Bug#568715: RM: syscp/1.4.2.1-2

Sun, 07 Feb 2010 01:01:17 -0800 

reassign 568715 release.debian.org
thanks

[-release should've gotten this, bad typo]

severity 557134 serious
clone 557134 -1
reassgin -1 release.debian.org
retitle -1 RM: syscp/1.4.2.1-2
severity -1 normal
thanks

This bug reported by Raphael lead to a wider search of security relevant
issues and I'm afraid we can't ship syscp in squeeze as it is. There are
several 'exec' commands not escaped (some manually escaped by string
replacing shell special chars) and I'm not willing to take the risk of a
release for this package.

Since I use this package I'm not giving up on it. So please remove it
from testing for now and maybe (after the release or whenever) we can
have it back again some time...

Thanks,
Hauke

On Thu, Nov 19, 2009 at 01:30:11PM -0600, Raphael Geissert wrote:
> Package: syscp
> Severity: important
> Version: 1.4.2.1-1
> Tags: security
> 
> Hi,
> 
> I just found the following incorrect usage of escapeshellcmd, when 
> escapeshellarg is needed:
> 
> /usr/share/syscp/lib/class_apsinstaller.php:
> $Return = safe_exec('php ' . escapeshellcmd($this->RealPath . 
> $this->DomainPath . '/install_scripts/configure install'), $ReturnStatus);
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
>  safe_exec('openssl genrsa -out ' . escapeshellcmd($privkey_filename) . ' 
> 1024');
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
> safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename));
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
>                             safe_exec('openssl rsa -in ' . 
> escapeshellcmd($privkey_filename) . ' -pubout -outform pem -out ' . 
> escapeshellcmd($pubkey_filename));
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
>  safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename));
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
>  safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename));
> 
> /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php:
>  safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename));
> 
> Using 'important' as severity and tagging as 'security' until it is verified 
> that the input of escapeshellcmd() comes from a trusted source and not from 
> the user.
> 
> Cheers,
> -- 
> Raphael Geissert - Debian Developer
> www.debian.org - get.debian.net
> 
>

Attachment: signature.asc
Description: Digital signature

Reply via email to