APK script permission audit
| Bugzilla ID | 280 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-05-04 03:23:46 -0500 |
| Modified | 2020-12-04 00:25:02 -0600 |
| Status | CONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | - |
| URL | https://www.openwall.com/lists/oss-security/2020/04/30/1 |
Description
Please see the URL for context.
The following APK scripts were examined:
system/abuild/abuild.pre-install
system/abuild/abuild.pre-upgrade
system/at/at.pre-install
system/bash/bash.post-upgrade
system/bash/bash.pre-deinstall
system/ca-certificates/ca-certificates.post-deinstall
system/ca-certificates/ca-certificates.trigger
system/coreutils/coreutils.post-deinstall
system/docbook-xml/docbook-xml.post-deinstall
system/docbook-xml/docbook-xml.post-install
system/docbook-xml/docbook-xml.post-upgrade
system/docbook-xsl/docbook-xsl-ns.post-deinstall
system/docbook-xsl/docbook-xsl-ns.post-install
system/docbook-xsl/docbook-xsl-ns.post-upgrade
system/docbook-xsl/docbook-xsl.post-deinstall
system/docbook-xsl/docbook-xsl.post-install
system/docbook-xsl/docbook-xsl.post-upgrade
system/fcron/fcron.pre-install
system/kmod/kmod.trigger
system/man-db/man-db.trigger
system/musl/musl-utils.trigger
system/openrc/openrc.post-install
system/openrc/openrc.post-upgrade
system/ruby/ruby.post-upgrade
system/s6-linux-init/s6-linux-init-common.post-upgrade
system/s6-linux-init/s6-linux-init-common.pre-deinstall
system/s6-linux-init/s6-linux-init.post-install
system/s6-linux-init/s6-linux-init.post-upgrade
system/s6-linux-init/s6-linux-init.pre-deinstall
system/s6/s6.post-upgrade
system/s6/s6.trigger
system/sed/sed.post-deinstall
system/sysvinit/sysvinit.post-install
system/sysvinit/sysvinit.post-upgrade
system/utmps/utmps.post-upgrade
system/zsh/zsh.post-install
system/zsh/zsh.post-upgrade
system/zsh/zsh.pre-deinstall
user/acpilight/acpilight.post-install
user/apache-httpd/apache-httpd.pre-install
user/apache-httpd/apache-httpd.pre-upgrade
user/bind/bind.pre-install
user/chrony/chrony.pre-install
user/chrony/chrony.pre-upgrade
user/cracklib/cracklib.trigger
user/cups/cups.pre-install
user/dbus/dbus.post-install
user/dbus/dbus.pre-install
user/dbus/dbus.trigger
user/dhcpcd/dhcpcd.post-upgrade
user/distcc/distcc.pre-install
user/fish/fish.post-install
user/fish/fish.post-upgrade
user/fish/fish.pre-deinstall
user/fontconfig/fontconfig.trigger
user/gdk-pixbuf/gdk-pixbuf.pre-deinstall
user/gdk-pixbuf/gdk-pixbuf.trigger
user/glib/glib.trigger
user/gnupg/gnupg.pre-install
user/gnupg/gnupg.pre-upgrade
user/graphviz/graphviz.pre-deinstall
user/graphviz/graphviz.trigger
user/grub/grub.post-upgrade
user/grub/grub.trigger
user/gtk+2.0/gtk+2.0.post-deinstall
user/gtk+2.0/gtk+2.0.post-install
user/gtk+2.0/gtk+2.0.post-upgrade
user/gtk+2.0/gtk-update-icon-cache.trigger
user/gtk+3.0/gtk+3.0.post-deinstall
user/gtk+3.0/gtk+3.0.post-install
user/gtk+3.0/gtk+3.0.post-upgrade
user/gutenprint/gutenprint.post-install
user/gutenprint/gutenprint.post-upgrade
user/java-common/java-common.trigger
user/libgphoto2/libgphoto2.pre-install
user/libgphoto2/libgphoto2.pre-upgrade
user/lighttpd/lighttpd.pre-install
user/lighttpd/lighttpd.pre-upgrade
user/lilo/lilo.trigger
user/lm_sensors/sensors.install
user/mariadb/mariadb-server.pre-install
user/mkfontscale/mkfontscale.trigger
user/mksh/mksh.post-install
user/mksh/mksh.post-upgrade
user/mksh/mksh.pre-deinstall
user/mosquitto/mosquitto.pre-install
user/netqmail/netqmail.post-install
user/netqmail/netqmail.pre-deinstall
user/nextcloud/nextcloud-initscript.post-install
user/nextcloud/nextcloud.post-upgrade
user/nextcloud/nextcloud.pre-install
user/nsd/nsd.pre-install
user/openldap/openldap.post-install
user/openldap/openldap.post-upgrade
user/openldap/openldap.pre-install
user/openvpn/openvpn.pre-install
user/pango/pango.pre-deinstall
user/pango/pango.trigger
user/pcsc-lite/pcsc-lite.pre-install
user/pcsc-lite/pcsc-lite.pre-upgrade
user/perl-xml-sax/perl-xml-sax.post-install
user/perl-xml-sax/perl-xml-sax.pre-deinstall
user/polkit/polkit.pre-install
user/polkit/polkit.pre-upgrade
user/postfix/postfix.pre-install
user/postgresql/postgresql.pre-upgrade
user/prosody/prosody.pre-install
user/pulseaudio/pulseaudio.pre-install
user/pulseaudio/pulseaudio.pre-upgrade
user/qemu/qemu.post-install
user/qemu/qemu.pre-install
user/redis/redis.pre-install
user/rpcbind/rpcbind.pre-install
user/rpcbind/rpcbind.pre-upgrade
user/sane/sane.pre-install
user/sane/saned.pre-install
user/sddm/sddm.post-install
user/shared-mime-info/shared-mime-info.post-deinstall
user/shared-mime-info/shared-mime-info.trigger
user/strongswan/strongswan.pre-install
user/tcsh/tcsh.post-install
user/tcsh/tcsh.post-upgrade
user/tcsh/tcsh.pre-deinstall
user/tlp/tlp.post-upgrade
user/transmission/transmission-daemon.post-upgrade
user/transmission/transmission-daemon.pre-install
user/transmission/transmission.post-install
user/unbound/unbound.pre-install
user/vde2/vde2.pre-install
user/vlc/vlc-daemon.pre-install
user/vlc/vlc-libs.trigger
Of these, the following were found to have potential issues:
user/mariadb/mariadb-server.pre-install
user/nextcloud/nextcloud-initscript.post-install