| Summary: | another command injection vulnerability | ||
|---|---|---|---|
| Product: | Portland | Reporter: | Michael Gilbert <michael.s.gilbert> |
| Component: | xdg-utils | Assignee: | Portland Bugs <portland-bugs> |
| Status: | RESOLVED INVALID | QA Contact: | |
| Severity: | critical | ||
| Priority: | high | ||
| Version: | 1.1.0 rc1 | ||
| Hardware: | All | ||
| OS: | Linux (All) | ||
| URL: | https://bugs.debian.org/777722 | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
|
Description
Michael Gilbert
2015-02-13 06:24:03 UTC
The code has diverged a bit in git so that patch no longer applies.
But good news: the current code should be safe(r), since all uses of
local $var
are initialized to avoid the problem, in particular, the code closest to what this patch touches now contains:
search_desktop_file()
{
local default="$1"
local dir="$2"
local arg="$3"
local file=""
# look for both vendor-app.desktop, vendor/app.desktop
...
Lastly, with test case given in debian report, I cannot reproduce in fedora 20 at least.
$ cat testme
testme() {
x=backfromthedead
local x
echo $x
}
$ bash testme
$ dash testme
$ rpm -q bash dash
bash-4.2.53-2.fc20.i686
dash-0.5.8-1.fc20.i686
The script you ran lacks the actual function call, the call to "testme" at the end. It should be:
$ cat testme
testme() {
x=backfromthedead
local x
echo $x
}
testme
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.