Package: pinfo
Version: 0.6.13-1.3+b1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

When running "pinfo mpfr", I can see in the strace output:

execve("/bin/sh", ["sh", "-c", "--", "cat ./mpfr> /tmp/pinfo.tVVaeB"], 
0x7ffc16308110 /* 135 vars */ <unfinished ...>

This is the case including when the argument is a symbolic link.

This means that private data can end up in /tmp (the file seems
private by default as created with 0600, but the fact that it can
escape the original file system is bad).

This is also bad in case of a symbolic link to some special file,
such as a dev file.

Like "info" and "man", pinfo should not look into the current
directory (except explicitly requestion via the INFOPATH
environment variable).

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.9.12-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pinfo depends on:
ii  install-info     7.1-3+b1
ii  libc6            2.39-6
ii  libncursesw6     6.5-2
ii  libreadline8t64  8.2-4
ii  libtinfo6        6.5-2

pinfo recommends no packages.

pinfo suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply via email to