dietlibc: insecure default PATH

To: team@security.debian.org, debian-lts@lists.debian.org
Cc: Héctor Orón Martínez <zumbi@debian.org>
Subject: dietlibc: insecure default PATH
From: Christian Seiler <christian@iwakd.de>
Date: Wed, 20 Jul 2016 11:03:42 +0200
Message-id: <[🔎] 578F3E6E.7060200@iwakd.de>

Dear security and LTS teams,

I'm co-maintainer of dietlibc. Thorsten Glaser has found a security
issue that the default PATH (when the environment variable is NOT set)
contains the current working directory. He has publicly reported this
upstream under:

http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de

I've already uploaded a fixed version of the package to sid. The fixed
version in sid is 0.34~cvs20160606-2.

This bug also affects the diet binary (wrapper to call gcc) provided in
the dietlibc package, as that uses execvp internally.

I've also prepared updates for the package for Jessie and Wheezy,
debdiffs against the current versions in Jessie and Wheezy are attached
to this email.

I've also pushed them to the wheezy and jessie branches in the git
repository:

git clone https://anonscm.debian.org/git/collab-maint/dietlibc.git -b jessie
git clone https://anonscm.debian.org/git/collab-maint/dietlibc.git -b wheezy

Please note that if you use gbp to build the packages, please add
--git-debian-branch=jessie (or wheezy) --git-pristine-tar to the gbp
buildpackage command, as only in sid does debian/gbp.conf have the
proper options.

(Also, the package in sid supports arch=all autobuilders and source
only uploads, the packages in Wheezy and Jessie probably do not.)

I have verified that the new packages build in a clean pbuilder
environment in Jessie and Wheezy.

Since dietlibc is a static library, some reverse dependencies need to
be recompiled. I've gone through all reverse dependencies of dietlibc
in Debian, and only three use either dietlibc's _PATH_DEFPATH define
or execvp()/execlp() from dietlibc (e2fsprogs in Wheezy and Jessie does
use execvp and execlp, but not from fsck.ext2, which is the only binary
compiled against dietlibc used there; e2fsprogs in sid isn't compiled
against dietlibc anymore):

 - minit (wheezy, jessie)
 - util-vserver (jessie, sid)
 - mksh (wheezy, jessie, sid, experimental)

(The other rdeps do not contain any reference to _PATH_DEFPATH or
execvp/execlp.)

I have verified that these rdeps compile against the fixed version of
dietlibc in a clean pbuilder environment. I do not know whether the
flaw can be exploited in util-vserver and minit, whereas for mksh
Thorsten Glaser provided a PoC.

Also note that users of this library, who compile their code manually
against the dietlibc package from Debian, might need to recompile their
own code after this update, if it uses _PATH_DEFPATH, execvp or execlp
from dietlibc, so this should be mentioned in the advisory.

Please advise me on how to get updates made available for Jessie and
Stretch. For the binNMUs in sid and experimental, I will have to
contact the release team, I assume?

Thank you!

Regards,
Christian

PS: Note: I'm a DM and have upload permissions for dietlibc in sid, in
    case that's relevant.

diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog
--- dietlibc-0.33~cvs20120325/debian/changelog	2012-09-30 16:18:30.000000000 +0200
+++ dietlibc-0.33~cvs20120325/debian/changelog	2016-07-20 08:39:46.000000000 +0200
@@ -1,3 +1,10 @@
+dietlibc (0.33~cvs20120325-4+deb7u1) wheezy-security; urgency=high
+
+  * Security: fix insecure default PATH.
+    Thanks to Thorsten Glaser <t.glaser@tarent.de> for discovering this
+
+ -- Christian Seiler <christian@iwakd.de>  Wed, 20 Jul 2016 08:38:13 +0200
+
 dietlibc (0.33~cvs20120325-4) unstable; urgency=low
 
   [ Peter Michael Green ]
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
--- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff	1970-01-01 01:00:00.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff	2016-07-20 08:39:46.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix insecure default PATH
+ Throsten Glaser <t.glaser@tarent.de> discovered that the default PATH
+ (absent the environment variable) contains the local directory.
+Author: Christian Seiler <christian@iwakd.de>
+Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de
+Last-Update: 2016-07-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/include/paths.h
++++ b/include/paths.h
+@@ -2,7 +2,7 @@
+ #define _PATHS_H
+ 
+ #define _PATH_BSHELL "/bin/sh"
+-#define _PATH_DEFPATH "/bin:/usr/bin:"
++#define _PATH_DEFPATH "/bin:/usr/bin"
+ 
+ #define _PATH_DEVNULL "/dev/null"
+ 
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series
--- dietlibc-0.33~cvs20120325/debian/patches/series	2012-09-30 16:18:30.000000000 +0200
+++ dietlibc-0.33~cvs20120325/debian/patches/series	2016-07-20 08:39:46.000000000 +0200
@@ -27,3 +27,4 @@
 0034-make-select-testcase-useful.diff
 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff
 0036-fix-jmp_buf-size-on-armhf.diff
+0100-security-insecure-default-PATH.diff

diff -Nru dietlibc-0.33~cvs20120325/debian/changelog dietlibc-0.33~cvs20120325/debian/changelog
--- dietlibc-0.33~cvs20120325/debian/changelog	2014-02-11 21:48:24.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/changelog	2016-07-20 08:42:03.000000000 +0200
@@ -1,3 +1,10 @@
+dietlibc (0.33~cvs20120325-6+deb8u1) jessie-security; urgency=high
+
+  * Security: fix insecure default PATH.
+    Thanks to Thorsten Glaser <t.glaser@tarent.de> for discovering this
+
+ -- Christian Seiler <christian@iwakd.de>  Wed, 20 Jul 2016 08:41:30 +0200
+
 dietlibc (0.33~cvs20120325-6) unstable; urgency=low
 
   * Team upload.
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff
--- dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff	1970-01-01 01:00:00.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/0100-security-insecure-default-PATH.diff	2016-07-20 08:42:03.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix insecure default PATH
+ Throsten Glaser <t.glaser@tarent.de> discovered that the default PATH
+ (absent the environment variable) contains the local directory.
+Author: Christian Seiler <christian@iwakd.de>
+Bug: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de
+Last-Update: 2016-07-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/include/paths.h
++++ b/include/paths.h
+@@ -2,7 +2,7 @@
+ #define _PATHS_H
+ 
+ #define _PATH_BSHELL "/bin/sh"
+-#define _PATH_DEFPATH "/bin:/usr/bin:"
++#define _PATH_DEFPATH "/bin:/usr/bin"
+ 
+ #define _PATH_DEVNULL "/dev/null"
+ 
diff -Nru dietlibc-0.33~cvs20120325/debian/patches/series dietlibc-0.33~cvs20120325/debian/patches/series
--- dietlibc-0.33~cvs20120325/debian/patches/series	2014-02-11 21:41:35.000000000 +0100
+++ dietlibc-0.33~cvs20120325/debian/patches/series	2016-07-20 08:42:03.000000000 +0200
@@ -28,3 +28,4 @@
 0035-Use-syscall-_newselect-instead-of-select-on-ppc64.diff
 0036-fix-jmp_buf-size-on-armhf.diff
 0037-support-powerpcspe.diff
+0100-security-insecure-default-PATH.diff

Reply to:

Prev by Date: Wheezy update of openssh?
Next by Date: Re: CVE-2016-5387/apache2
Previous by thread: Wheezy update of openssh?
Next by thread: Wheezy update of roundcube
Index(es):
- Date
- Thread