Control: outlook -1 write test case, fix issue
thanks
On Tue, Sep 17, 2019 at 01:22:46PM +0000, Haoxi Tan wrote:
> A command injection vulnerability has been found in the deluser
> program in the adduser package.
Embarrassing. My own bug. system() should never be used with a string,
just with an array, to avoid a shell being used to execute the code. The
culprit is
if (system("crontab -l $user >/dev/null 2>&1") == 0) {
which should be rewritten to use systemcall(). Probably it would be wise
to adapt systemcall() to allow redirections.
Greetings
Marc
