Fun job: Please test/review patch for picocom CVE-2015-9059
Hi security,
there is a problem with the picocom terminal emulator:
picocom before 2.0 has a command injection vulnerability in the
'send and receive file' command because the command line is
executed by /bin/sh unsafely.
(https://security-tracker.debian.org/tracker/CVE-2015-9059)
The bug report https://bugs.debian.org/863671 contains a patch,
but I'm not sure whether it does what it should.
A test case would be wonderful!
If nobody can review or test the patch, there are other options:
- remove picocom 1.7 from stretch (2.2 is in experimental and
does not have the vulnerability, it will be in unstable ASAP
and will be backported to both Stretch and Jessie)
- just disable 'send and receive file', which nowadays is not
very important anymore, I need to check how easy this is,
but I'm optimistic
- document the problem, but ignore it otherwise, because not
many people will use file transfer anyway - this is neither
heartbleed nor shellshock; no fancy name, no logo
TIA & Cheers
Reply to: