Red Hat Bugzilla – Bug 170463
CVE-2006-0225 local to local copy uses shell expansion twice
Last modified: 2007-11-30 17:07:08 EST
+++ This bug was initially created as a clone of Bug #168167 +++
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion. The file name
could contain characters which need quoting, like $ or spaces. This second
expansion must be avoided.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.touch foo\ bar
3.scp foo\ bar somedir
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory
no message, file copied
I'll attach a patch. Upstream would probably not like it but it glibc is
advanced enough to provide the necessary functions.
There are also a few more places where I've seen TEMP_FAILURE_RETRY or
equivalent code missing.
*** Bug 179621 has been marked as a duplicate of this bug. ***
This issue is on Red Hat Engineering's list of planned work items
for the upcoming Red Hat Enterprise Linux 3.8 release. Engineering
resources have been assigned and barring unforeseen circumstances, Red
Hat intends to include this item in the 3.8 release.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.