Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Mar 2014 17:21:33 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: 741659@...s.debian.org
Subject: CVE request: kdirstat, insufficient quote escaping leading to arbitrary
 command execution

Good morning,

Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) 
tool did not correctly escape quotes when deleting a directory 
permanently. Attempting to use KDirStat to permanently delete a 
directory that has a malicious name could result in arbitrary command 
execution.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659

The Debian report is about single quotes. On Fedora 
(https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were 
needed.

Can a CVE please be assigned if one has not been already? (And maybe it 
should be escaping ';' too if not already?)

Thanks,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ