[bug-patch] ed scripts allow arbitrary code execution

bug-patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-patch] ed scripts allow arbitrary code execution

From:	rain1
Subject:	[bug-patch] ed scripts allow arbitrary code execution
Date:	Fri, 06 Apr 2018 13:32:42 +0100
User-agent:	Roundcube Webmail/1.3.3

Hello.

I see that my patch [1] was overlooked and then [2] was written the nextday. It introduces at least 2 new code executions vulnerabilitiesrelating to filenames containing $(..). I would recommend you avoidexecuting /bin/sh.


[1] http://lists.gnu.org/archive/html/bug-patch/2018-04/msg00000.html

[2]http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-patch] ed scripts allow arbitrary code execution, rain1, 2018/04/05
- [bug-patch] ed scripts allow arbitrary code execution, rain1 <=
  - Re: [bug-patch] ed scripts allow arbitrary code execution, Bruno Haible, 2018/04/06
  - Re: [bug-patch] ed scripts allow arbitrary code execution, Andreas Grünbacher, 2018/04/06

Prev by Date: [bug-patch] ed scripts allow arbitrary code execution
Next by Date: Re: [bug-patch] ed scripts allow arbitrary code execution
Previous by thread: [bug-patch] ed scripts allow arbitrary code execution
Next by thread: Re: [bug-patch] ed scripts allow arbitrary code execution
Index(es):
- Date
- Thread