Bug 31520 – db2XXX scripts have unsecure parameter passing

Bug 31520 - db2XXX scripts have unsecure parameter passing

Summary:	db2XXX scripts have unsecure parameter passing

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Red Hat Raw Hide
Classification:	Retired
Component:	docbook-utils (Show other bugs)
Sub Component:
Version:	1.0
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Tim Waugh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2001-03-12 12:04 EST by matti aarnio
Modified:	2008-05-01 11:38 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-03-12 12:08:43 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description matti aarnio 2001-03-12 12:04:06 EST

package: docbook-utils-0.6-11

The  db2pdf(*),  db2dvi, db2ps, and db2rtf are all of
style:

#! /bin/sh
jw -f docbook -b rtf $*

while they should be:

#! /bin/sh
jw -f docbook -b rtf "$*"

in case any of the passed options have IFS characters in them...

(*) The db2pdf is at package  docbook-utils-pdf  which isn't listed at RH
component dataset.

Comment 1 Tim Waugh 2001-03-12 12:08:38 EST

(ITYM "$@".)  Thanks for spotting it.

Comment 2 Tim Waugh 2001-03-12 13:42:38 EST

Fixed in docbook-utils-0.6-12 in rawhide, although I don't think it's really a 
security issue.

Note You need to log in before you can comment on or make changes to this bug.