oss-sec mailing list archives
Re: Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability
From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Wed, 18 Feb 2015 20:32:04 -0500
On Wed, Feb 18, 2015 at 1:35 PM, CVE assign wrote:
Our understanding from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722#12 is that the report has not identified a vulnerability (or even a bug) in dash.
It is probably at least a design flaw (and a reasonably well-documented one at that [0]). Bash on the other hand is not vulnerable to the same class of problems: $ cat testme testme() { x=backfromthedead local x echo $x } testme $ bash testme $ dash testme backfromthedead Best wishes, Mike [0] $ man dash
Current thread:
- CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Dec 31)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Jan 16)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Jan 17)
- <Possible follow-ups>
- CVE Request: xdg-utils: xdg-open: command injection vulnerability Salvatore Bonaccorso (Feb 18)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Feb 18)
- Re: Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability Michael Gilbert (Feb 18)
- Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability cve-assign (Feb 18)