Re: deb vfs security issue (CAN-2004-0494)
- From: Jakub Jelinek <jakub redhat com>
- To: Leonard den Ottolander <leonard den ottolander nl>
- Cc: MC Devel <mc-devel gnome org>
- Subject: Re: deb vfs security issue (CAN-2004-0494)
- Date: Wed, 18 Aug 2004 18:40:36 +0200
On Wed, Aug 18, 2004 at 07:28:23PM +0200, Leonard den Ottolander wrote:
> Hi,
>
> On Wed, 2004-08-18 at 16:31, Leonard den Ottolander wrote:
> > I noticed this in Red Hat's bugzilla just now:
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973 .
>
> Attached is a patch that escapes all dangerous characters for function
> arguments. More specifically, everything not in A-Z, a-z, 0-9, _, /, .,
> - and +.
>
> Could somebody on a system with dpkg installed verify that things still
> work correctly after applying this patch? Thanks.
Also, isn't mcdebfs_copyout's destfile not used just in system ()
(where it should be escaped), but also in
if ( open(FILEOUT,">$destfile") )
(where I'd say it should not be escaped)?
Jakub
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]