Bug#923478: initscripts use unsafe `: >` shell command to create files

Thu Feb 28 18:40:00 GMT 2019

Package: initscripts
Version: 2.93-8
Severity: normal
Tags: patch

As per the POSIX standard:

http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_14
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08_01

The `:` is a "special built-in" command, and as such, errors with it or
with file descriptor redirections shall cause the script to abort. You
can test simply with:

dash -c ': > /tmp/dir/; echo hello world;'

Or instead of /tmp/dir/, anything else that will cause a write
error: "hello world" is never printed because the shell exits on the
redirection error.

Init scripts try to use this for example in the bootclean.sh logic to
create /tmp/.clean: there is even code to handle the failure case which
unfortunately does not get run, in fact the whole cleanup operation is
ended short.

The `true` equivalent of `:` does not have the same status as special
built-in so is exempt of that problem, and I think it's safe to use
instead.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages initscripts depends on:
ii  coreutils       8.30-1
ii  debianutils     4.8.6.1
ii  lsb-base        10.2018112800
ii  mount           2.33.1-0.1
ii  sysv-rc         2.93-8
ii  sysvinit-utils  2.93-8

Versions of packages initscripts recommends:
ii  e2fsprogs  1.44.5-1
ii  psmisc     23.2-1

initscripts suggests no packages.

-- Configuration Files:
/etc/default/rcS changed [not included]
/etc/default/tmpfs changed [not included]

-- no debconf information