oss-sec mailing list archives
Re: Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability
From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Wed, 18 Feb 2015 20:32:04 -0500
On Wed, Feb 18, 2015 at 1:35 PM, CVE assign wrote:
Our understanding from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722#12 is that the report has not identified a vulnerability (or even a bug) in dash.
It is probably at least a design flaw (and a reasonably
well-documented one at that [0]). Bash on the other hand is not
vulnerable to the same class of problems:
$ cat testme
testme() {
x=backfromthedead
local x
echo $x
}
testme
$ bash testme
$ dash testme
backfromthedead
Best wishes,
Mike
[0] $ man dash
Current thread:
- CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Dec 31)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Jan 16)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Jan 17)
- <Possible follow-ups>
- CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Feb 18)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Feb 18)
- Re: Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability Michael Gilbert (Feb 18)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Feb 18)