Date: Thu, 15 Jan 2009 07:25:20 +0100 From: Thomas Biege <thomas@...e.de> To: oss-security@...ts.openwall.com Subject: Re: update on CVE-2008-5718 > > I am not very happy with the patch because it just filters a handful of > > characters, a better solution would be to replace popen(). > > (I mentioned this on the netatalk-devel ML but got no answer so far.) > > It is no full shell escape but escapes everything that > should be relevant for command injection. Sure, replacing > the popen would be the better option but I was not too happy > doing this as I guess it's more likely to break existing > functionality with it by accident. Yes, such a patch need to come from upstream. -- Bye, Thomas -- Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Hamming's Motto: The purpose of computing is insight, not numbers. -- Richard W. Hamming
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ