Bug 332211 - Tricking sysreport into running 'rm -rf /' critical data loss
Tricking sysreport into running 'rm -rf /' critical data loss
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sos (Show other bugs)
All Linux
urgent Severity high
: rc
: ---
Assigned To: Adam Stokes
: ZStream
Depends On:
Blocks: 424161
  Show dependency treegraph
Reported: 2007-10-15 09:10 EDT by Martin Poole
Modified: 2009-12-16 11:39 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 502455 548113 (view as bug list)
Last Closed: 2009-01-20 16:41:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to avoid hazardous filenames (962 bytes, patch)
2007-10-15 09:10 EDT, Martin Poole
no flags Details | Diff

  None (edit)
Description Martin Poole 2007-10-15 09:10:58 EDT
+++ This bug was initially created as a clone of Bug #332041 +++

Escalated to Bugzilla from IssueTracker

-- Additional comment from mpoole@redhat.com on 2007-10-15 08:22 EST --
RHEL5 sysreport can be tricked into removing data in two different ways

When prompted for case number the input is not vetted. If the value " / " (space
slash space) is entered the program will attempt to rm -rf /

If no case number is provided the logical name used is derived from two
environment variables which are not checked,  $LOGNAME and $HOSTNAME
Comment 1 Martin Poole 2007-10-15 09:10:58 EDT
Created attachment 227651 [details]
Patch to avoid hazardous filenames
Comment 7 Martin Poole 2007-10-17 09:22:40 EDT
Just because these various bugzillas contain many of the same words does not
mean they are the same bugs.

Kindly re-read this report.
Comment 9 Ngo Than 2007-10-23 09:37:53 EDT
sos now obsoletes sysreport. assign to correct component
Comment 11 RHEL Product and Program Management 2007-12-03 15:46:55 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 24 errata-xmlrpc 2009-01-20 16:41:29 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.