Package: debian-goodies
Version: 0.33
Severity: grave
Tags: security
Hi,
The checkrestart program from debian-goodies (both latest 0.33 and
stable 0.27) allows arbitrary command execution with root privileges.
Example:
$ cp /bin/sleep "; OWNED"
$ ./"; OWNED" 1000 &
$ rm "; OWNED"
$ sudo checkrestart
...
sh: OWNED: command not found
...
Since this program is likely launched as a daily root cron job on some
systems, I think this is a grave security hole.
The cause of the problem is the way "dpkg --search" is spawned
from the main() function:
...
dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys())
for line in os.popen(dpkgQuery).readlines():
...
In my above example, one of the programs.keys() is "; OWNED", and thus
the executed command is "dpkg --search ... ; OWNED ...".
Fixing this should be as easy as:
...
import subprocess
...
dpkgQuery = ["dpkg", "--search"] + programs.keys()
dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE)
for line in dpkgProc.stdout.readlines():
...
This way, the command arguments are all well separated, without any
shell interpretation.
PS: sorry for any mistake i may have done in the way i've reported this
bug. I'm not a Debian user, so i'm not used to your system. Actually,
i just happened to come accross this "checkrestart" script reading a
gentoo-dev@ post:
http://article.gmane.org/gmane.linux.gentoo.devel/51366/
--
TGL.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
