Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-1378 / Git HEAD: Issues with sourcing cmdlineopts.clp from current working directory #59

Closed
hartwork opened this issue Jan 20, 2015 · 5 comments

Comments

@hartwork
Copy link
Contributor

The current code is sourcing cmdlineopts.clp from the directory that grml-debootstrap is executed from:

...
# cmdline handling {{{
# source external command line parameter-processing script
if [ -r ./cmdlineopts.clp ] ; then
   . ./cmdlineopts.clp
elif [ -r /usr/share/grml-debootstrap/functions/cmdlineopts.clp ] ; then
   . /usr/share/grml-debootstrap/functions/cmdlineopts.clp
else
   eerror "Error: cmdline function file not found, exiting."
   eend 1
   bailout 1
fi
...

To demonstrate it:

$ echo "echo Hello; exit 123" > cmdlineopts.clp 
$ sudo grml-debootstrap ; echo $?
Hello
123

Before sourcing that file, grml-debootstrap should check if the current working directory is writable to non-root users and deny sourcing if so.

@hartwork hartwork changed the title Git HEAD: Git HEAD: Issues with sourcing cmdlineopts.clp from current working directory Jan 20, 2015
@mika
Copy link
Member

mika commented Jan 20, 2015

Hm, the idea is to be able to execute (and develop) grml-debootstrap from the git repository itself without having to install anything system wide. A repository is usually not owned by root user, so I'm not sure what we should do about that. :-/

@mika
Copy link
Member

mika commented Jan 20, 2015

One approach might be to set a specific environment variable which allows usage of grml-debootstrap from inside the repository and only if this variable is set then consider sourcing cmdlineopts.clp.

@hartwork
Copy link
Contributor Author

Maybe, not sure yet.

To add another idea: If the scenario is running sudo ./grml-debootstrap sourcing ./cmdlineopts.clp and assuming the Git working directory is not writable by anyone but <you and/or root> (already or okay to enforce), then the code could grant sourcing if

${PWD} has *neither* 0020 nor 0002 octal permissions set
and
  ${PWD} is owned by root
  or
    the parent process is sudo (readlink on /proc/${PPID}/exe)
    and
    the parent's parent process (e.g. a shell) is run by the same user that ${PWD} is owned by

@hartwork
Copy link
Contributor Author

CVE-2015-1378 has been assigned to this issue:
http://thread.gmane.org/gmane.comp.security.oss.general/15483

@hartwork hartwork changed the title Git HEAD: Issues with sourcing cmdlineopts.clp from current working directory CVE-2015-1378 / Git HEAD: Issues with sourcing cmdlineopts.clp from current working directory Jan 27, 2015
mika pushed a commit that referenced this issue Mar 10, 2015
#59)

Simplified, this fixes CVE-2015-1378 for everyone but grml-debootstrap developers.
@mika
Copy link
Member

mika commented Mar 10, 2015

Fixed via your PR, thanks!

@mika mika closed this as completed Mar 10, 2015
mika pushed a commit that referenced this issue Mar 16, 2015
#59)

Simplified, this fixes CVE-2015-1378 for everyone but grml-debootstrap developers.

(cherry picked from commit 7b07013)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants