[Debconf-devel] Bug#1136114: debconf: validate format and driver names before eval STRING
Sebastian EM
mendozayt13 at gmail.com
Sat May 9 18:16:30 BST 2026
Package: debconf
Version: 1.5.92
Severity: important
Tags: security patch
X-Debbugs-Cc: team at security.debian.org,
debconf-devel at lists.alioth.debian.org
Dear debconf maintainers,
I would like to report an input-validation issue in debconf 1.5.92,
confirmed at runtime in a fresh debian:sid container.
Several debconf database driver initialization paths interpolate
attacker-influenced format or driver names into Perl eval STRING:
Debconf/DbDriver/File.pm
Debconf/DbDriver/Directory.pm
Debconf/DbDriver/Pipe.pm
Debconf/Db.pm
The affected values come from debconf database configuration, including
environment/config routes such as DEBCONF_DB_OVERRIDE, DEBCONF_DB_FALLBACK,
DEBCONF_DB_REPLACE, DEBCONF_SYSTEMRC, DPKG_ROOT, and ${VAR} substitution in
Config.pm.
A crafted format value can cause attacker-controlled Perl code to be
evaluated when the corresponding debconf database configuration is loaded.
Confirmed impact:
- Arbitrary code execution in the debconf-using Perl process that loads
attacker-influenced debconf database configuration.
- The code runs as the UID/EUID of that Perl process.
- Local privilege escalation is possible only when attacker-controlled
debconf environment/configuration crosses a privilege boundary into a
privileged debconf-using process.
This is not a remote vulnerability and does not become privilege escalation
on a default Debian system by itself. With sudo's default env_reset, the
relevant environment variables are dropped before the privileged process
runs.
Runtime validation:
- Confirmed in debian:sid with debconf 1.5.92.
- Nine trigger variants were tested.
- Before patch: benign marker files were created by the Perl process.
- After patch: all tested malicious format/driver names were rejected.
- Legitimate Format: 822 configuration still works.
- Legitimate ${VAR} substitution for non-Format fields still works.
Proposed fix:
The attached patch validates format and driver names before the eval sinks
using:
\A[A-Za-z0-9_]+\z
The patch touches:
Debconf/DbDriver/File.pm
Debconf/DbDriver/Directory.pm
Debconf/DbDriver/Pipe.pm
Debconf/Db.pm
Debconf/Config.pm is intentionally left unchanged. The ${VAR} substitution
path can still transport a malicious value into the stanza, but the value
is blocked at the eval sinks.
Public context:
I initially sent this to Debian Security and debconf-devel. Salvatore
Bonaccorso noted that debconf-devel is not private and asked me to file
this directly in the BTS for maintainer tracking:
https://alioth-lists.debian.net/pipermail/debconf-devel/2026-May/005526.html
Please let me know if you prefer a fixed allowlist of known Format/DbDriver
module names instead of the current character-class validation approach.
Best regards,
Jeremy Erazo
[image: Mailsuite] Email trackeado con Mailsuite · Darse de baja
<https://u.list-prefs.com/en/privacy/opt-out/unsubscribe/96fbe1d8a4d5ed9b87118e85e984a86b7313ffd6/420689cfb77e738ceec082be09a9bcf456e92a5f914b9285f9f16f628386013bfc77683b948bcfff21b78b66da3e9739451bd062d209c37330abf933b7c5d1ee>
09/05/26, 12:15:57 p.m.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debconf-devel/attachments/20260509/88c13870/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debconf-validate-format-and-driver-names-before-eval.patch
Type: application/octet-stream
Size: 4293 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debconf-devel/attachments/20260509/88c13870/attachment.obj>
More information about the Debconf-devel
mailing list