<div dir="ltr">Package: debconf<br>Version: 1.5.92<br>Severity: important<br>Tags: security patch<br>X-Debbugs-Cc: <a href="mailto:team@security.debian.org">team@security.debian.org</a>, <a href="mailto:debconf-devel@lists.alioth.debian.org">debconf-devel@lists.alioth.debian.org</a><br><br>Dear debconf maintainers,<br><br>I would like to report an input-validation issue in debconf 1.5.92, confirmed at runtime in a fresh debian:sid container.<br><br>Several debconf database driver initialization paths interpolate attacker-influenced format or driver names into Perl eval STRING:<br><br> Debconf/DbDriver/File.pm<br> Debconf/DbDriver/Directory.pm<br> Debconf/DbDriver/Pipe.pm<br> Debconf/Db.pm<br><br>The affected values come from debconf database configuration, including environment/config routes such as DEBCONF_DB_OVERRIDE, DEBCONF_DB_FALLBACK, DEBCONF_DB_REPLACE, DEBCONF_SYSTEMRC, DPKG_ROOT, and ${VAR} substitution in Config.pm.<br><br>A crafted format value can cause attacker-controlled Perl code to be evaluated when the corresponding debconf database configuration is loaded.<br><br>Confirmed impact:<br><br>- Arbitrary code execution in the debconf-using Perl process that loads attacker-influenced debconf database configuration.<br>- The code runs as the UID/EUID of that Perl process.<br>- Local privilege escalation is possible only when attacker-controlled debconf environment/configuration crosses a privilege boundary into a privileged debconf-using process.<br><br>This is not a remote vulnerability and does not become privilege escalation on a default Debian system by itself. With sudo's default env_reset, the relevant environment variables are dropped before the privileged process runs.<br><br>Runtime validation:<br><br>- Confirmed in debian:sid with debconf 1.5.92.<br>- Nine trigger variants were tested.<br>- Before patch: benign marker files were created by the Perl process.<br>- After patch: all tested malicious format/driver names were rejected.<br>- Legitimate Format: 822 configuration still works.<br>- Legitimate ${VAR} substitution for non-Format fields still works.<br><br>Proposed fix:<br><br>The attached patch validates format and driver names before the eval sinks using:<br><br> \A[A-Za-z0-9_]+\z<br><br>The patch touches:<br><br> Debconf/DbDriver/File.pm<br> Debconf/DbDriver/Directory.pm<br> Debconf/DbDriver/Pipe.pm<br> Debconf/Db.pm<br><br>Debconf/Config.pm is intentionally left unchanged. The ${VAR} substitution path can still transport a malicious value into the stanza, but the value is blocked at the eval sinks.<br><br>Public context:<br><br>I initially sent this to Debian Security and debconf-devel. Salvatore Bonaccorso noted that debconf-devel is not private and asked me to file this directly in the BTS for maintainer tracking:<br><br> <a href="https://alioth-lists.debian.net/pipermail/debconf-devel/2026-May/005526.html">https://alioth-lists.debian.net/pipermail/debconf-devel/2026-May/005526.html</a><br><br>Please let me know if you prefer a fixed allowlist of known Format/DbDriver module names instead of the current character-class validation approach.<br><br>Best regards,<br>Jeremy Erazo<br><br><br><br><div id="mt-signature">
<table border="0" cellpadding="8" cellspacing="0" style="user-select: none;">
<tbody><tr style="display:flex">
<td style="padding:0 4px 0 0">
<img src="https://s3.amazonaws.com/mailtrack-signature/logo-grey.png" alt="Mailsuite" class="" width="24" height="20">
</td>
<td style="padding:0 10px 0 0">
<span style="color:#333;font-size:12px;font-family:Inter,sans-serif;font-weight:400;line-height:185%">Email trackeado con Mailsuite · <a href="https://u.list-prefs.com/en/privacy/opt-out/unsubscribe/96fbe1d8a4d5ed9b87118e85e984a86b7313ffd6/420689cfb77e738ceec082be09a9bcf456e92a5f914b9285f9f16f628386013bfc77683b948bcfff21b78b66da3e9739451bd062d209c37330abf933b7c5d1ee" target="_blank" style="color:#666;font-size:11px;font-family:Inter,sans-serif;font-weight:400;line-height:185%">Darse de baja</a></span><br>
</td>
<td><span style="color:transparent;font-size:0">09/05/26, 12:15:57 p.m.</span></td>
</tr>
</tbody></table>
</div><img width="0" height="0" class="mailtrack-img" alt="" style="display:flex" src="https://mailtrack.io/trace/mail/96fbe1d8a4d5ed9b87118e85e984a86b7313ffd6.png?u=13483695"></div>