Steve Kemp <st...@steve.org.uk> writes:
> Package: stalin
> Version: 0.11-5
> Severity: critical
> Tags: security
>
>
> When `stalin` launches it attempts to detect its environment via
> the following code in /usr/lib/stalin/QobiScheme.sc:
>
>
> (system "uname -m >/tmp/QobiScheme.tmp")
> ...
> (system "rm -f /tmp/QobiScheme.tmp"))
I have a possible fix for this, which should affect all versions in
Debian (0.11-6 in stretch/sid, 0.11-5 in wheezy/jessie), and I think I
will be able to generate patches (and/or packages) if it seems
acceptable.
The current fix requires two primary changes, one is to stop overriding
the gcc optimization level on amd64 (to revert to the default -O2,
instead of -O0). Otherwise gcc will segfault (tested against 5.3.1-3,
4.9.3-10, and 4.6.4-7), and we won't be able to build the package.
The second requires changes to the Scheme compiler itself to add support
for a few new functions (debian-popen-in, debian-popen-out, etc.), and
to then use them in stalin.sc and QobiScheme.sc to:
- rework the (tmp "foo") function to use mktemp
- replace all uses of fixed /tmp/ paths with use of mktemp, either via
the updated (tmp "foo"), or via a "mktemp -d ..." temporary
directory.
Potential concerns:
- This introduces new bindings, though I suspect the
"debian-" prefixes mitigate the likelihood of collisions with
any existing use.
- The new code may not be heavily tested (though I suspect should be
safer than what we have now). For example, some of the changes
involve functions that call mpeg_play, which doesn't appear to be in
Debian (anymore).
- This will require rebuilding the pregenerated[1] C versions of the
compiler (20MB each, one per arch). In the newer release, they're
in debian/prebuilt-src/. In the older, they were at the top level.
This will result in a *very* large diff against the previous
versions.
[1] NB: the reason we have the pregenerated files is because creating
them requires ~2GB RAM and about an hour each on a fairly recent amd64
machine. Though I'd be happy to dispense with them if/when we think
it's reasonable.
In any case, I wanted to contact the security team now, to get an idea
of how you might want to proceed, before I spend more time on the code.
I've nearly finished hacking up a first pass, but it's not likely to be
quite ready yet.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
