Re: [bug-patch] ed scripts allow arbitrary code execution

bug-patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-patch] ed scripts allow arbitrary code execution

From:	Bruno Haible
Subject:	Re: [bug-patch] ed scripts allow arbitrary code execution
Date:	Fri, 06 Apr 2018 15:45:50 +0200
User-agent:	KMail/5.1.3 (Linux/4.4.0-116-generic; KDE/5.18.0; x86_64; ; )

Hello Andreas,

> I see that my patch [1] was overlooked and then [2] was written the next 
> day. It introduces at least 2 new code executions vulnerabilities 
> relating to filenames containing $(..).

Indeed, the gnulib module 'sh-quote' [1] can help to avoid misquoting in
shell command-lines.

Additionally, the gnulib module 'execute' [2] ensures portability to Windows,
since it replaces the uses of 'fork()'.

Bruno

[1] https://www.gnu.org/software/gnulib/MODULES.html#module=sh-quote
[2] https://www.gnu.org/software/gnulib/MODULES.html#module=execute

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-patch] ed scripts allow arbitrary code execution, rain1, 2018/04/05
- [bug-patch] ed scripts allow arbitrary code execution, rain1, 2018/04/06
  - Re: [bug-patch] ed scripts allow arbitrary code execution, Bruno Haible <=
  - Re: [bug-patch] ed scripts allow arbitrary code execution, Andreas Grünbacher, 2018/04/06

Prev by Date: [bug-patch] ed scripts allow arbitrary code execution
Next by Date: Re: [bug-patch] ed scripts allow arbitrary code execution
Previous by thread: [bug-patch] ed scripts allow arbitrary code execution
Next by thread: Re: [bug-patch] ed scripts allow arbitrary code execution
Index(es):
- Date
- Thread