Package: ucf Version: 3.0038+nmu1 Tags: patch security Severity: serious Control: fixed -1 3.0044
Hello, During the process of salvaging src:ucf[1], I discovered that the 'saved' variable is inherited uninitialised from the environment and then passed to eval. All stable Debian versions appear to be affected: mark@apollo:/tmp% sudo saved='$(ls -l)' ucf /dev/null /tmp/new.conf ucf: unrecognized option '-rw-r--r--' ucf: unrecognized option '-rw-------' ucf: unrecognized option '-rw-------' ucf: unrecognized option '-rwxr-xr-x' ucf: unrecognized option '-rw-r--r--' ucf: unrecognized option '-rw-r--r--' ucf: unrecognized option '-rw-r--r--' ucf: unrecognized option '-rw-r--r--' The minimal immediate fix seems straightforward (see attached patch). But I want to be sure that I haven't missed consideration of a case that requires inheriting this from the environment. Mark [1] https://bugs.debian.org/1086847
From a0d7ce5b7216e8be117ff10ecfcd47ce287cf306 Mon Sep 17 00:00:00 2001
From: Mark Hindley <m...@hindley.org.uk>
Date: Sun, 17 Nov 2024 09:47:42 +0000
Subject: [PATCH] Safely initialise variable subsequently passed to eval.
Fixes:
mark@apollo:/tmp% sudo saved='$(ls -l)' ucf /dev/null /tmp/new.conf
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rwxr-xr-x'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
---
ucf | 1 +
1 file changed, 1 insertion(+)
diff --git a/ucf b/ucf
index 6855cd7..0191243 100755
--- a/ucf
+++ b/ucf
@@ -294,6 +294,7 @@ NEW_SUFFIX="ucf-new"
OLD_SUFFIX="ucf-old"
ERR_SUFFIX="merge-error"
# save up the cmdline with proper quoting/escaping
+saved=
for arg in "$@"; do
saved="${saved:+$saved }'$(quote_single "$arg")'"
done
--
2.39.5
signature.asc
Description: PGP signature
