oss-sec mailing list archives
Re: update on CVE-2008-5718
From: Thomas Biege <thomas () suse de>
Date: Wed, 28 Jan 2009 15:54:59 +0100
Hi, On Wed, Jan 28, 2009 at 09:02:45AM -0500, Steven M. Christey wrote:
On Wed, 28 Jan 2009, Thomas Biege wrote:New patch attached, the old one was missing spaces. Hope the blacklist is complete now...Would a "-" character allow an argument injection attack by inserting dangerous command-line switches? Things like being able to add a "-rf" as an argument to the rm command...
I was thinking about that case too but it might not work because we escape the space.
I assume there's something undesirable about quoting everything unless it's alphanumeric?
... I think I'll rewrite it and post it here again. Replacing popen() is still my prefered solution.... -- Bye, Thomas -- Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Hamming's Motto: The purpose of computing is insight, not numbers. -- Richard W. Hamming
Current thread:
- update on CVE-2008-5718 Nico Golde (Jan 13)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 28)
- Re: update on CVE-2008-5718 Steven M. Christey (Jan 28)
- Re: update on CVE-2008-5718 Nico Golde (Jan 14)
- Re: update on CVE-2008-5718 Nico Golde (Jan 28)
- Re: update on CVE-2008-5718 Thomas Biege (Jan 14)