oss-sec mailing list archives
Re: update on CVE-2008-5718
From: Thomas Biege <thomas () suse de>
Date: Wed, 28 Jan 2009 15:54:59 +0100
Hi, On Wed, Jan 28, 2009 at 09:02:45AM -0500, Steven M. Christey wrote:
On Wed, 28 Jan 2009, Thomas Biege wrote:New patch attached, the old one was missing spaces. Hope the blacklist is complete now...Would a "-" character allow an argument injection attack by inserting dangerous command-line switches? Things like being able to add a "-rf" as an argument to the rm command...
I was thinking about that case too but it might not work because we escape the space.
I assume there's something undesirable about quoting everything unless it's alphanumeric?
... I think I'll rewrite it and post it here again.
Replacing popen() is still my prefered solution....
--
Bye,
Thomas
--
Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Hamming's Motto:
The purpose of computing is insight, not numbers.
-- Richard W. Hamming
Current thread:
- update on CVE-2008-5718 Nico Golde (Jan 13)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)