From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: There was a vulnerability announced on full disclosure: http://marc.theaimsgroup.com/?l=full-disclosure&m=109334851517137&w=2 I've tested this at length and the patch is good. The risk is that when a user downloads a "trusted" tarball and then does a wildcard print of all files in a directory, the shell can execute some of the filenames. The root cause of this hole is that popen() is used without escaping the characters in the filename. Version-Release number of selected component (if applicable): a2ps-4.13b-40 How reproducible: Always Steps to Reproduce: 1. touch 'x`echo >&2 42`.c' 2. a2ps -o /dev/null *.c Actual Results: 42 Expected Results: The contents of x`echo >&2 42` printed instead of executed. Additional info: I will attach a patch for this. As far as security severity, I would classify this as low to medium risk. It is very unexpected for filenames to be executed instead of printed.
Created attachment 103479 [details] Patch that fixes this problem Please apply before fc3test2 is finalized.
Unable to verify. Did you actually try this with 4.13b-40?
I just re-tested the whole thing and it looks fine, too. /usr/bin/file -L "${filename}" This should be safe. Somewhere along the way I must have used an older copy by accident. Sorry.