[Portland-bugs] [Bug 89129] another command injection vulnerability

Fri Feb 20 08:55:24 PST 2015

https://bugs.freedesktop.org/show_bug.cgi?id=89129

Rex Dieter <rdieter at math.unl.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Rex Dieter <rdieter at math.unl.edu> ---
The code has diverged a bit in git so that patch no longer applies.  

But good news:  the current code should be safe(r), since all uses of 
local $var
are initialized to avoid the problem, in particular, the code closest to what
this patch touches now contains:

search_desktop_file()
{
    local default="$1"
    local dir="$2"
    local arg="$3"

    local file=""
    # look for both vendor-app.desktop, vendor/app.desktop
...

Lastly, with test case given in debian report, I cannot reproduce in fedora 20
at least.

$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}

$ bash testme

$ dash testme

$ rpm -q bash dash
bash-4.2.53-2.fc20.i686
dash-0.5.8-1.fc20.i686

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/portland-bugs/attachments/20150220/228512f6/attachment.html>