[Debconf-devel] Bug#1041329: debconf-set-selections mishandles funny filenames
Zefram
zefram at fysh.org
Mon Jul 17 15:51:58 BST 2023
Package: debconf
Version: 1.5.77
Severity: important
debconf-set-selections(1) does various funny things if a filename contains
characters that are not usually used in filenames:
# echo > '>t0'
# ls -l
total 4
-rw-rw-r-- 1 root root 1 Jul 17 14:47 '>t0'
# debconf-set-selections '>t0'
# ls -l
total 4
-rw-rw-r-- 1 root root 1 Jul 17 14:47 '>t0'
-rw-rw-r-- 1 root root 0 Jul 17 14:48 t0
# echo > 't1 '
# debconf-set-selections 't1 '
Can't open t1 : No such file or directory at /usr/bin/debconf-set-selections line 114.
# echo > '|echo wibble'
# debconf-set-selections '|echo wibble'
wibble
#
These arise from its use of the <> Perl operator, which is not suitable
for the implementation of a read-from-list-of-files kind of command.
Because the range of misbehaviour includes writing to arbitrary files
and running arbitrary commands, this is a more severe bug than normal.
-zefram
More information about the Debconf-devel
mailing list