oss-sec mailing list archives
kiwi shell meta char injection
From: Thomas Biege <thomas () suse de>
Date: Wed, 02 Nov 2011 10:03:07 +0000
Hi, my colleagues found the following: https://github.com/openSUSE/kiwi/commit/f0f74b3f6ac6d47f7919aa9db380c0ad41ffe55f CVE-2011-3180: The path of overlay files was not escaped which allowed shell meta character injection via the chown(1) command-line. https://github.com/openSUSE/kiwi/commit/88bf491d16942766016c606e4210b4e072c1019f CVE-2011-4195: The image name was not escaped properly and can be used in conjunction with other applications to execute arbitrary shell commands. Cheers, Thomas -- Thomas Biege <thomas () suse de>, Project Manager IT-Security SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Current thread:
- kiwi shell meta char injection Thomas Biege (Nov 02)
- Re: kiwi shell meta char injection Thomas Biege (Nov 02)