Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Jan 2009 07:25:20 +0100
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: update on CVE-2008-5718

> > I am not very happy with the patch because it just filters a handful of
> > characters, a better solution would be to replace popen().
> > (I mentioned this on the netatalk-devel ML but got no answer so far.)
> 
> It is no full shell escape but escapes everything that 
> should be relevant for command injection. Sure, replacing 
> the popen would be the better option but I was not too happy 
> doing this as I guess it's more likely to break existing 
> functionality with it by accident.

Yes, such a patch need to come from upstream.


-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
           Hamming's Motto:
           The purpose of computing is insight, not numbers.
                                -- Richard W. Hamming

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ