![]() |
|
Date: Wed, 18 Feb 2015 20:32:04 -0500 From: Michael Gilbert <michael.s.gilbert@...il.com> To: oss-security@...ts.openwall.com Cc: carnil@...ian.org, cve-assign@...re.org Subject: Re: Re: CVE Request: xdg-utils: xdg-open: command injection vulnerability On Wed, Feb 18, 2015 at 1:35 PM, CVE assign wrote: > Our understanding from > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722#12 is that > the report has not identified a vulnerability (or even a bug) in dash. It is probably at least a design flaw (and a reasonably well-documented one at that [0]). Bash on the other hand is not vulnerable to the same class of problems: $ cat testme testme() { x=backfromthedead local x echo $x } testme $ bash testme $ dash testme backfromthedead Best wishes, Mike [0] $ man dash
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.