Re: CVE or not: 2x grml-debootstrap

[cve-assign () mitre org]

> I recently ran into two bugs in grml-debootstrap, documented in detail
> at the following GitHub issues.
>
>
> 1) For the first
>
>  Issues with sourcing cmdlineopts.clp from current working directory
>  https://github.com/grml/grml-debootstrap/issues/59
>
> I am rather clear about exploitability.
> Please review the proposed approach for a fix.

Use CVE-2015-1378.

> 2) For the second
>
>  Lack of user input escaping / use of $!`"\ in passwords
>  https://github.com/grml/grml-debootstrap/issues/58
>
> I still wonder about realistic exploitation scenarios.  Since the tool
> is usually executed by root or using sudo, input from a non-root user
> would need to make its way into the command line, unfiltered or filtered
> insufficiently.

A CVE will not be assigned at this time.

>  It could either be a service like
>
>  live-build
>  http://cgi.build.live-systems.org/cgi-bin/live-build
>
> (they don't call grml-debootstrap, if the code is [2])
> or a sudoers config like
>
>  user23 ALL=(ALL) NOPASSWD: /usr/sbin/grml-debootstrap \
>    --password * .....
>
> though I am note sure how much of a likely setup that is.
>
> Other ideas on scenarios?
> Also, please review my proposal on escaping.
>
> Thanks and best,
>
>
>
> Sebastian
>
>
> [1] https://github.com/grml/grml-debootstrap
> [2] https://packages.debian.org/de/wheezy/live-build


---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]