Package: os-prober Version: 1.17 Severity: grave Tags: security At least the following patches are needed to all released versions of os-prober to fix a security hole that allows carefully crafted filenames to run arbitrary shell commands when os-prober probes their partition. - for kernfile in $(eval ls $mpoint$kernpat 2>/dev/null); do + for kernfile in $(eval ls "$mpoint$kernpat" 2>/dev/null); do - for initrd in $(eval ls $initrdname 2>/dev/null); do + for initrd in $(eval ls "$initrdname" 2>/dev/null); do joey@gnu:~>dash $ touch 'vmlinuz;touch owned' $ eval ls vmlinuz* ls: cannot access vmlinuz: No such file or directory $ ls owned owned $ -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.31-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- see shy jo
Attachment:
signature.asc
Description: Digital signature