[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] Linking monotone with the official lua shared library a
|
From: |
Tomas Fasth |
|
Subject: |
[Monotone-devel] Linking monotone with the official lua shared library as distributed by Debian |
|
Date: |
Sun, 24 Jul 2005 16:04:56 +0200 |
|
User-agent: |
Mozilla Thunderbird 1.0.6 (Windows/20050716) |
Hello,
This letter is addressed to the monotone mailing list as well as the
debian maintainer of the lua shared library in Debian and the
debian-security mailing list.
Background:
Monotone is currently linked statically against it's own copy of the
lua library. The monotone authors motivation is, quote: "we're
disabling io_popen here because it calls shell, and is thereby a
horrible security hole in waiting". A similar comment is made about
io_execute.
What I don't understand, and would appreciate you to comment on, is
why this is regarded as "a horrible security hole in waiting" by the
monotone developers but not by Debian itself.
Question 1:
Is it a security hole in general or only applicable to monotone?
Question 2:
If the monotone developers security concern is applicable outside
monotone, shouldn't the lua library in Debian be patched in the same
way?
I would very much like to resolve this issue in such a way that I
can begin to link monotone with the lua library provided by Debian.
The diff is attached to this letter.
--
Tomas Fasth <address@hidden>
GnuPG KeyId: 0x9FE8D504
Fingerprint: DC7B 9453 7F26 1BF9 6B21 9F90 C187 7355 9FE8 D504
--- lua/lua50-5.0.2/src/lib/liolib.c 2005-07-24 10:27:30.480000000 +0000
+++ monotone/monotone-0.21/lua/liolib.c 2005-07-17 23:02:12.000000000 +0000
@@ -149,14 +149,7 @@
if (f == stdin || f == stdout || f == stderr)
return 0; /* file cannot be closed */
else {
- int ok;
- errno = 0;
- ok = (pclose(f) != -1);
- if (!ok) {
- if (errno == ECHILD) ok = 1; /* pclose worked, but could reap child */
- else ok = (fclose(f) == 0);
- }
-
+ int ok = (pclose(f) != -1) || (fclose(f) == 0);
if (ok)
*(FILE **)lua_touserdata(L, 1) = NULL; /* mark file as closed */
return ok;
@@ -503,7 +496,15 @@
{"close", io_close},
{"flush", io_flush},
{"open", io_open},
- {"popen", io_popen},
+
+ /*
+ monotone specific: we're disabling io_popen here because
+ it calls shell, and is thereby a horrible security hole in
+ waiting.
+ */
+
+ /* {"popen", io_popen}, */
+
{"read", io_read},
{"tmpfile", io_tmpfile},
{"type", io_type},
@@ -728,7 +729,16 @@
{"clock", io_clock},
{"date", io_date},
{"difftime", io_difftime},
- {"execute", io_execute},
+
+ /*
+ monotone specific: we're disabling io_execute here because
+ it calls shell, and is thereby a horrible security hole in
+ waiting. use the execute() function (which uses posix.execvp)
+ in std_hooks.lua.
+ */
+
+ /* {"execute", io_execute}, */
+
{"exit", io_exit},
{"getenv", io_getenv},
{"remove", io_remove},
signature.asc
Description: OpenPGP digital signature
- [Monotone-devel] Linking monotone with the official lua shared library as distributed by Debian,
Tomas Fasth <=