Bug 958733
Summary: | plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | |
Component: | plexus-utils | Assignee: | Mikolaj Izdebski <mizdebsk> | |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 18 | CC: | charles, fnasser, java-sig-commits, krosenvold, mizdebsk | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
See Also: | https://jira.codehaus.org/browse/PLXUTILS-161 | |||
Whiteboard: | ||||
Fixed In Version: | 3.0.16-1 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1009412 (view as bug list) | Environment: | ||
Last Closed: | 2014-01-27 14:04:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 958220, 1009412, 1532497 |
Description
Florian Weimer
2013-05-02 10:13:30 UTC
plexus-utils package is widely used (required by 96 packages in Fedora and it is the most often downloaded artifact on Maven Central [1]), so changing the API or migrating dependant packages to use standard JDK API would be difficult or impossible. If I remember correctly the shell quoting code is indirectly used by maven-scm and maven-wagon. Migration to ProcessBuilder is impossible (or at least not always possible) because the shell code needs to be executed on remote hosts (eg. over SSH) which is beyond capabilities of ProcessBuilder. In my opinion the shell quoting and escaping code should be fixed to conform to appropriate standards, like [2]. [1] http://search.maven.org/#stats [2] http://pubs.opengroup.org/onlinepubs/7908799/xcu/chap2.html Related to upstream bug PLXUTILS-161 I am one of the current maintainers of the plexus code in question. Plexus-utils is mostly used within maven, which (like all the build systems for java) is not a "safe" execution environment; if someone wants to inject an "rm -rf /*" into your build system there's probably thousands of different attack vectors to achieve this. This applies to all modern java build systems and is not a particular maven problem. I am mostly trying to establish the actual severity of this issue; we will gladly accept patches that update the correctness of the quoting algorithms (or if you can explain it to thickheads like me, I'll even fix it myself!). The code we're talking about here is ancient (and none of my doing) and just understanding the problem/consequences is hard enough. A patch correcting the quoting algorithm (and avoiding its use where possible) has been attached to PLXUTILS-161. This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fixed in plexus-utils-3.0.16-1 I believe that this bug is fixed in plexus-utils-3.0.16-1, which is available in Fedora Rawhide, so I am closing this bug now. The build containing the fix can be found at Koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=494089 This bug was fixed in the next release of Fedora, and is not planned to be fixed in the release it was filed against. If you want this bug to be fixed in updates for Fedora 18, please say so in a comment. Otherwise you can update to the newer release of Fedora to get the fix. |