oss-sec mailing list archives

Re: update on CVE-2008-5718


From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 28 Jan 2009 09:02:45 -0500 (EST)


On Wed, 28 Jan 2009, Thomas Biege wrote:

New patch attached, the old one was missing spaces.
Hope the blacklist is complete now...

Would a "-" character allow an argument injection attack by inserting
dangerous command-line switches?  Things like being able to add a "-rf" as
an argument to the rm command...

I assume there's something undesirable about quoting everything unless
it's alphanumeric?

- Steve


Current thread: