Date: Mon, 17 Mar 2014 17:21:33 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: 741659@...s.debian.org Subject: CVE request: kdirstat, insufficient quote escaping leading to arbitrary command execution Good morning, Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659 The Debian report is about single quotes. On Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were needed. Can a CVE please be assigned if one has not been already? (And maybe it should be escaping ';' too if not already?) Thanks, -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ