Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Feb 2015 20:32:04 -0500
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Cc: carnil@...ian.org, cve-assign@...re.org
Subject: Re: Re: CVE Request: xdg-utils: xdg-open: command
 injection vulnerability

On Wed, Feb 18, 2015 at 1:35 PM, CVE assign wrote:
> Our understanding from
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777722#12 is that
> the report has not identified a vulnerability (or even a bug) in dash.

It is probably at least a design flaw (and a reasonably
well-documented one at that [0]).  Bash on the other hand is not
vulnerable to the same class of problems:

$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}
testme

$ bash testme

$ dash testme
backfromthedead

Best wishes,
Mike

[0] $ man dash

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ