Debian Bug report logs - #476572
can be used to remove packages, or install experimental or specific versions, run arbitrary regexps

version graph

Package: aptlinex; Maintainer for aptlinex is José L. Redrejo Rodríguez <jredrejo@debian.org>;

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 17 Apr 2008 17:12:07 UTC

Severity: grave

Tags: security

Found in version aptlinex/0.9-1

Fixed in version aptlinex/0.91-1

Done: jredrejo@debian.org (José L. Redrejo Rodríguez)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476572; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: can be used to remove packages, or install experimental or specific versions, run arbitrary regexps
Date: Thu, 17 Apr 2008 13:10:41 -0400
[Message part 1 (text/plain, inline)]
Package: aptlinex
Version: 0.9-1
Severity: grave
Tags: security

<a href="apt://pdmenu-">

With this it will happily remove pdmenu, while presenting a UI that
doesn't make that plain to the user. For more fun, could try libc6- ,
or some other library that will make apt unhappy. (I haven't tried that.)

<a href="apt://pdmenu/experimental">

With this is will install pdmenu from experimental (assuming sources.list is
set up). I think this syntax should be disallowed, along with the "=version"
syntax.

<a href="apt://p.*">

This installs all package names containing "p". Also, it demonstrates that
aptlinex exposes the posix regexp library to attackers. Any security hole
in that library can now be exploited over the web.

The best solution to all of these is probably to check that the package
name listed for installation is the name of an actual, existing package,
before passing it to apt.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages aptlinex depends on:
ii  apt-show-versions             0.12       lists available package versions w
ii  gambas2-gb-gui                2.5-1      The graphical toolkit selector com
ii  gambas2-runtime               2.5-1      The Gambas runtime
ii  gksu                          2.0.0-5    graphical frontend to su

Versions of packages aptlinex recommends:
ii  epiphany-gecko [www-browser 2.20.3-1.1   Intuitive GNOME web browser - Geck
ii  iceweasel [www-browser]     2.0.0.13-1   lightweight web browser based on M
ii  lynx [www-browser]          2.8.6-2      Text-mode WWW Browser
ii  w3m [www-browser]           0.5.1-5.1+b1 WWW browsable pager with excellent

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476572; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <chris@chris-lamb.co.uk>:
Extra info received and forwarded to list. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #10 received at 476572@bugs.debian.org (full text, mbox):

From: Chris Lamb <chris@chris-lamb.co.uk>
To: 476572@bugs.debian.org
Subject: Re: can be used to remove packages, or install experimental or specific versions, run arbitrary regexps
Date: Thu, 17 Apr 2008 18:35:19 +0100
[Message part 1 (text/plain, inline)]
Joey Hess wrote:

> With this it will happily remove pdmenu, while presenting a UI that
> doesn't make that plain to the user.

I would agree - the attached JPEG (67KB) shows what I saw when, err,
installing "aptlinex-".


Regards,

-- 
Chris Lamb, UK                                       chris@chris-lamb.co.uk
                                                            GPG: 0x634F9A20
[aptlinex.jpg (image/jpeg, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to jredrejo@debian.org (José L. Redrejo Rodríguez):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 476572-close@bugs.debian.org (full text, mbox):

From: jredrejo@debian.org (José L. Redrejo Rodríguez)
To: 476572-close@bugs.debian.org
Subject: Bug#476572: fixed in aptlinex 0.91-1
Date: Sat, 19 Apr 2008 12:47:02 +0000
Source: aptlinex
Source-Version: 0.91-1

We believe that the bug you reported is fixed in the latest version of
aptlinex, which is due to be installed in the Debian FTP archive:

aptlinex_0.91-1.diff.gz
  to pool/main/a/aptlinex/aptlinex_0.91-1.diff.gz
aptlinex_0.91-1.dsc
  to pool/main/a/aptlinex/aptlinex_0.91-1.dsc
aptlinex_0.91-1_all.deb
  to pool/main/a/aptlinex/aptlinex_0.91-1_all.deb
aptlinex_0.91.orig.tar.gz
  to pool/main/a/aptlinex/aptlinex_0.91.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
José L. Redrejo Rodríguez <jredrejo@debian.org> (supplier of updated aptlinex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Apr 2008 14:27:58 +0200
Source: aptlinex
Binary: aptlinex
Architecture: source all
Version: 0.91-1
Distribution: unstable
Urgency: high
Maintainer: José L. Redrejo Rodríguez <jredrejo@debian.org>
Changed-By: José L. Redrejo Rodríguez <jredrejo@debian.org>
Description: 
 aptlinex   - Web browser addon to install Debian packages with a click
Closes: 476572 476588 476590
Changes: 
 aptlinex (0.91-1) unstable; urgency=high
 .
   * New upstream release to fix several security bugs:
   * Check if the package really exists before acting (Closes: #476572)
   * Always uses Temp$() when creating temp files (Closes: #476588)
   * It does not use lock files anymore
   * Now apt:foo uris are also accepted (Closes: #476590)
Checksums-Sha1: 
 1d194fdbf3f56deddaaaa82f3fb2f1ff3ac92303 1000 aptlinex_0.91-1.dsc
 1f18a5e163d471559ad66e2c40f42b429dc11a8b 78048 aptlinex_0.91.orig.tar.gz
 cc6ee09ee8f39270080d32042ca40de8f7e39e9b 4126 aptlinex_0.91-1.diff.gz
 1525109c15e3a466123039761c44b559c58f2def 17902 aptlinex_0.91-1_all.deb
Checksums-Sha256: 
 99831c21bdd02431baff6347b1734132ec7fdbee21017834c40404a2e781f215 1000 aptlinex_0.91-1.dsc
 eaa0b6f66a97860796737f02a33a05510d61b20a52fba6c466fb684d2348c172 78048 aptlinex_0.91.orig.tar.gz
 a73a755806c5d1ee519a403471bd4e3a0cc1734cea0f961d921827324eac71fb 4126 aptlinex_0.91-1.diff.gz
 d83678846ce02b22919ecd1ff96415a5c2fc2fd8f9f022219ad3a4d553f8ce2d 17902 aptlinex_0.91-1_all.deb
Files: 
 66a0643d4ccc7a5298400199566497c3 1000 utils optional aptlinex_0.91-1.dsc
 0268d5163b1d29e2840fdd6322958aa5 78048 utils optional aptlinex_0.91.orig.tar.gz
 3294ee576f5a8ab3673c2411c3ba9fdb 4126 utils optional aptlinex_0.91-1.diff.gz
 9fa3738eb3233e3018c203a97830588b 17902 utils optional aptlinex_0.91-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICedqmqVR2WapDeIRAqpiAJ4wrq4VVVzgQaj6MpEs3gdi8qWkPgCfXZ8U
rSSgBgLQpVceqiF41bvsCcw=
=hWQx
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476572; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #20 received at 476572@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: 476572@bugs.debian.org
Subject: CVE id assigned
Date: Tue, 22 Apr 2008 13:18:17 +0200
[Message part 1 (text/plain, inline)]
Hi,
CVE-2008-1902 was assigned to this.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 May 2008 07:40:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:02:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.