Package: pinfo Version: 0.6.13-1.3+b1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
When running "pinfo mpfr", I can see in the strace output: execve("/bin/sh", ["sh", "-c", "--", "cat ./mpfr> /tmp/pinfo.tVVaeB"], 0x7ffc16308110 /* 135 vars */ <unfinished ...> This is the case including when the argument is a symbolic link. This means that private data can end up in /tmp (the file seems private by default as created with 0600, but the fact that it can escape the original file system is bad). This is also bad in case of a symbolic link to some special file, such as a dev file. Like "info" and "man", pinfo should not look into the current directory (except explicitly requestion via the INFOPATH environment variable). -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.9.12-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages pinfo depends on: ii install-info 7.1-3+b1 ii libc6 2.39-6 ii libncursesw6 6.5-2 ii libreadline8t64 8.2-4 ii libtinfo6 6.5-2 pinfo recommends no packages. pinfo suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)