Debian Bug report logs - #366269
findutils: updatedb has bug in 'select_shell()'

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chronos Tachyon <chronos@chronos-tachyon.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: findutils: updatedb has bug in 'select_shell()'

Date: Sat, 06 May 2006 12:38:21 -0500

Package: findutils
Version: 4.2.27-2
Severity: important


The select_shell() function in /usr/bin/updatedb has a bug in the way it
calls /bin/su; specifically, it attempts 'su "$LOCALUSER" -s $SHELL false',
which runs '/bin/bash false', thus attempting to execute /bin/false as a
shellscript.  (The exit code 126 and error message 'cannot execute
binary file' are ignored entirely by updatedb.)

The correct usage of su would be to add "-c" after "-s $SHELL" on lines 87
and 91.  This is important if, for instance, the administrator has set
$LOCALUSER's shell to /bin/false (which is how I discovered this bug).

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages findutils depends on:
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries

findutils recommends no packages.

-- no debconf information

Message #14 received at 366269-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 366269-close@bugs.debian.org

Subject: Bug#366269: fixed in findutils 4.2.27-3

Date: Sat, 13 May 2006 05:17:09 -0700

Source: findutils
Source-Version: 4.2.27-3

We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:

findutils_4.2.27-3.diff.gz
  to pool/main/f/findutils/findutils_4.2.27-3.diff.gz
findutils_4.2.27-3.dsc
  to pool/main/f/findutils/findutils_4.2.27-3.dsc
findutils_4.2.27-3_i386.deb
  to pool/main/f/findutils/findutils_4.2.27-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 366269@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 13 May 2006 13:41:30 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.2.27-3
Distribution: unstable
Urgency: low
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description: 
 findutils  - utilities for finding files--find, xargs, and locate
Closes: 366269
Changes: 
 findutils (4.2.27-3) unstable; urgency=low
 .
   * [updatedb] use su "$LOCALUSER" -s $SHELL -c false instead of
     su "$LOCALUSER" -s $SHELL false to make it work with current su in sid.
     Thanks, Chronos Tachyon for bugreport and fix. (Closes: #366269)
   * standards-version 3.7.2, no changes required.
Files: 
 28d431b28bf30382b2a1ec6931757521 663 utils required findutils_4.2.27-3.dsc
 61ba52bb5015671d0363f1dec6129b29 14995 utils required findutils_4.2.27-3.diff.gz
 ccf131238adbb955ecd2475a5d8483f4 405044 utils required findutils_4.2.27-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEZc16HTOcZYuNdmMRAql2AJ47rw1ItiHQxTJfikY0kPsVchoJ7gCfTIYO
+xiwwM+nkxCC2yIkZ0Zxgpc=
=cXOn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.