On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote: > Due to a bug in the environment variable substitution code it is > possible to inject environment variables such as LD_PRELOAD and gain a > root shell.
Confirmed. Joey we'll need an ID for it. I guess we need to use two buffers to handle the expansion correctly... Steve --
