New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-1378 / Git HEAD: Issues with sourcing cmdlineopts.clp from current working directory #59
Comments
|
Hm, the idea is to be able to execute (and develop) grml-debootstrap from the git repository itself without having to install anything system wide. A repository is usually not owned by root user, so I'm not sure what we should do about that. :-/ |
|
One approach might be to set a specific environment variable which allows usage of grml-debootstrap from inside the repository and only if this variable is set then consider sourcing cmdlineopts.clp. |
|
Maybe, not sure yet. To add another idea: If the scenario is running |
|
CVE-2015-1378 has been assigned to this issue: |
#59) Simplified, this fixes CVE-2015-1378 for everyone but grml-debootstrap developers.
|
Fixed via your PR, thanks! |
#59) Simplified, this fixes CVE-2015-1378 for everyone but grml-debootstrap developers. (cherry picked from commit 7b07013)
The current code is sourcing
cmdlineopts.clpfrom the directory that grml-debootstrap is executed from:To demonstrate it:
Before sourcing that file, grml-debootstrap should check if the current working directory is writable to non-root users and deny sourcing if so.
The text was updated successfully, but these errors were encountered: