Package: autopostgresqlbackup Version: 1.0-1 Severity: grave Tags: security patch
Hi Emmanuel, as already mentioned in http://bugs.debian.org/706087, database names are used unmangled and unquoted inside several evals in autopgsqlbackup: # dgrep -n eval autopostgresqlbackup /usr/sbin/autopostgresqlbackup:302:eval rm -f "$BACKUPDIR/latest/*" /usr/sbin/autopostgresqlbackup:359: eval $PREBACKUP /usr/sbin/autopostgresqlbackup:460: eval rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" /usr/sbin/autopostgresqlbackup:471: eval rm -fv "$BACKUPDIR/daily/$DB/*.$DOW.sql.*" /usr/sbin/autopostgresqlbackup:507: eval rm -fv "$BACKUPDIR/weekly/week.$REMW.*" /usr/sbin/autopostgresqlbackup:519: eval rm -fv "$BACKUPDIR/daily/*.$DOW.sql.*" /usr/sbin/autopostgresqlbackup:541: eval $POSTBACKUP /usr/sbin/autopostgresqlbackup:603:eval rm -f "$LOGFILE" /usr/sbin/autopostgresqlbackup:604:eval rm -f "$LOGERR" Since PostgreSQL allows arbitrary database names, this allows PostgreSQL users who are allowed to create databases to inject shell code into autopostgresqlbackup which will be executed as root via autopostgresqlbackup's cron.daily cron job. The fix should be easy though: All evals listed above except those for $POSTBACKUP and $PREBACKUP are unneeded and can be removed after slight quoting changes. The eval before $PREBACKUP and $POSTBACKUP can also just be removed if it's ok that backticks and variable expansion doesn't work within the value of $PREBACKUP and $POSTBACKUP. Patch: # diff -u /usr/sbin/autopostgresqlbackup.orig /usr/sbin/autopostgresqlbackup --- /usr/sbin/autopostgresqlbackup.orig 2011-05-28 20:49:12.000000000 +0200 +++ /usr/sbin/autopostgresqlbackup 2013-04-24 17:24:58.750245540 +0200 @@ -299,7 +299,7 @@ then mkdir -p "$BACKUPDIR/latest" fi -eval rm -f "$BACKUPDIR/latest/*" +rm -f "$BACKUPDIR"/latest/* fi # IO redirection for logging. @@ -356,7 +356,7 @@ echo ====================================================================== echo "Prebackup command output." echo - eval $PREBACKUP + $PREBACKUP echo echo ====================================================================== echo @@ -457,7 +457,7 @@ else REMW=`expr $W - 5` fi - eval rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" + rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW".* echo dbdump "$DB" "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.sql" compression "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.sql" @@ -468,7 +468,7 @@ else echo Daily Backup of Database \( $DB \) echo Rotating last weeks Backup... - eval rm -fv "$BACKUPDIR/daily/$DB/*.$DOW.sql.*" + rm -fv "$BACKUPDIR/daily/$DB"/*."$DOW".sql.* echo dbdump "$DB" "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.sql" compression "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.sql" @@ -504,7 +504,7 @@ else REMW=`expr $W - 5` fi - eval rm -fv "$BACKUPDIR/weekly/week.$REMW.*" + rm -fv "$BACKUPDIR/weekly/week.$REMW".* echo dbdump "$DBNAMES" "$BACKUPDIR/weekly/week.$W.$DATE.sql" compression "$BACKUPDIR/weekly/week.$W.$DATE.sql" @@ -516,7 +516,7 @@ echo Daily Backup of Databases \( $DBNAMES \) echo echo Rotating last weeks Backup... - eval rm -fv "$BACKUPDIR/daily/*.$DOW.sql.*" + rm -fv "$BACKUPDIR"/daily/*."$DOW".sql.* echo dbdump "$DBNAMES" "$BACKUPDIR/daily/$DATE.$DOW.sql" compression "$BACKUPDIR/daily/$DATE.$DOW.sql" @@ -538,7 +538,7 @@ echo ====================================================================== echo "Postbackup command output." echo - eval $POSTBACKUP + $POSTBACKUP echo echo ====================================================================== fi @@ -600,7 +600,7 @@ fi # Clean up Logfile -eval rm -f "$LOGFILE" -eval rm -f "$LOGERR" +rm -f "$LOGFILE" +rm -f "$LOGERR" exit $STATUS Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
